Form10/00
UK ABWR
Document ID
Document Number
Revision Number
:
:
:
GA91-9901-0009-00001
XE-GD-0105
C
UK ABWR Generic Design Assessment
Fault Studies to Discuss Deterministic Analysis, PSA and Fault
Schedule Development
Hitachi-GE Nuclear Energy, Ltd.
Form10/00
UK ABWR
DISCLAIMERS
Proprietary Information
This document contains proprietary information of Hitachi-GE Nuclear Energy, Ltd. (Hitachi-GE), its
suppliers and subcontractors. This document and the information it contains shall not, in whole or in part,
be used for any purpose other than for the Generic Design Assessment (GDA) of Hitachi-GE’s UK ABWR.
This notice shall be included on any complete or partial reproduction of this document or the information it
contains.
Copyright
No part of this document may be reproduced in any form, without the prior written permission of
Hitachi-GE Nuclear Energy Ltd. Copyright (C) 2014 Hitachi-GE Nuclear Energy, Ltd.
Reserved.
Hitachi-GE Nuclear Energy, Ltd.
All Rights
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
Table of Contents
1. Introduction ............................................................................................................................. 1
2. Fault Assessment ..................................................................................................................... 2
2.1 Approach ............................................................................................................................ 2
2.2 Fault Schedule .................................................................................................................... 2
3. Deterministic Safety Analysis ............................................................................................... 27
3.1 Scope of Assessment ........................................................................................................ 27
3.2 Criteria ............................................................................................................................. 27
3.3 Analysis Code .................................................................................................................. 33
3.4 Frequent Design Basis Faults ........................................................................................... 39
3.5 Infrequent Design Basis Faults ........................................................................................ 56
3.6 Beyond Design Basis Faults ............................................................................................ 95
3.7 Conclusions .................................................................................................................... 100
4. Probabilistic Safety Assessment ......................................................................................... 101
4.1 Requirements and Assumptions ..................................................................................... 102
4.2 Internal Event Level 1 PSA ........................................................................................... 105
4.3 Internal Event Level 2 PSA ........................................................................................... 134
4.4 Internal Event Level 3 PSA ........................................................................................... 150
4.5 External Event PSA ....................................................................................................... 151
4.6 Conclusions .................................................................................................................... 153
5. Conclusions .......................................................................................................................... 154
6. Reference .............................................................................................................................. 155
Table of Contents
Ver. 0
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Acronyms
Abbreviations and
Acronyms
ABWR
ACWA
AESJ
AM
AOOs
ARI
APTA
ASEP
ATWS
BSL
BSO
BT
BWR
CCI
CCF
CCFL
CCFP
CDF
CFF
CFP
COPS
CPR
CR
CRD
DB
DBA
DCD
DCH
DG
DGFO
DSA
EA
ECCS
EDG
FCI
FLSS
FP
FPC
GDA
GEXL
Description
Advanced Boiling Water Reactor
AC-Independent Water Addition system
Atomic Energy Society of Japan
Accident Management
Anticipated Operational Occurrences
Alternative Rod Insertion system
Trip of all Reactor Internal Pumps Accident
Accident Sequence Evaluation Program
Anticipated Transient Without Scram
Basic Safety Level
Basic Safety Objective
Boiling Transition
Boiling Water Reactor
Commercially Confidential Information
Common Cause Failure
Countercurrent Flow Limitation
Conditional Containment Failure Probability
Core Damage Frequency
Containment Failure Frequency
Containment Failure Probability
Containment Over pressure Protections System
Critical Power Ratio
Control Rod / Control Room
Control Rod Drive
Design Basis
Design Basis Accident
Design Control Document
Direct Containment Heating
Diesel Generator
Diesel Generator Fuel Oil
Deterministic Safety Analysis
Environment Agency
Emergency Core Cooling System
Emergency Diesel Generator
Fuel Coolant Interaction
Flooding system of Specific Safety system
Fire Protection system
Fuel Pool Cooling and filtering(Clean-up) system
Generic Design Assessment
GE Critical Quality (Xc)-Boiling Length (LB) correlation
Acronyms
Ver. 0
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Acronyms (Contd.)
Abbreviations and
Acronyms
HSE
HPCF
HVAC
IAEA
IE
IORV
JANSI
JNES
LDF
LOCA
LPFL
LPRM
LRF
LUHS
MCCI
MCPR
MSIV
MSLBA
MUWC
NISA
NPP
NRC
OLMCPR
ONR
PCS
PCSR
PCT
PCV
PIE
POS
PSA
RCIC
RCW
RHR
RIP
RPT
RPS
RPV
RSW
RW
Description
UK Health and Safety Executive
High Pressure Core Flooder system
Heating, Venting and Air conditioning and Cooling
International Atomic Energy Agency
Initiating Event
Inadvertent Open Relief Valve
Japan Nuclear Safety Institute
Japan Nuclear Energy Safety Organization
Lower Drywell Flooder system
Loss Of Coolant Accident
Low Pressure Flooder system
Local Power Range Monitor
Large Release Frequency
Loss of Ultimate Heat Sink
Molten Core Concrete Interaction
Minimum Critical Power Ratio
Main Steam Isolation Valve
Main Steam Line Break
Make-Up Water Condensate system
Nuclear and Industrial Safety Agency
Nuclear Power Plant
Nuclear Regulatory Commission / National Radiation Council
Operating Limit MCPR
Office for Nuclear Regulation
Power Conversion System
Pre-Construction Safety Report
Peak Cladding Temperature
Primary Containment Vessel
Postulated Initiating Event
Plant Operating State
Probabilistic Safety Assessment
Reactor Core Isolation Cooling system
Reactor Cooling Water system
Residual Heat Removal system
Reactor Internal Pump
Recirculation Pump Trip
Reactor Protection System
Reactor Pressure Vessel
Reactor Sea Water system
Rad. Waste
Acronyms
Ver. 0
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Acronyms (Contd.)
Abbreviations and
Acronyms
SAP
SBO
SFP
SGTS
SLC
SLMCPR
SORV
SPCU
SRV
SSC
T&M
TAF
TBD
URD
Description
Safety Assessment Principle
Station Blackout
Spent Fuel Pool
Stand-by Gas Treatment System
Standby Liquid Control system
Safety Limit MCPR
Spurious Open of Relief Valves
Suppression Pool water Clean-Up system
Safety Relief Valve
Structures, Systems and Components
Test and Maintenance
Top of Active Fuel
To Be Determined
User Requirements Document
Acronyms
Ver. 0
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
1. Introduction
The safety systems and the safety related systems of UK ABWR plant will be designed such that
environmental release of any radioactive material from the plant during all modes of operation is
acceptably minimized. To demonstrate the adequacy of the safety design and the suitability and
sufficiency of the safety measures, fault assessment will be performed for UK ABWR.
This document describes the approach taken in developing the fault assessment which consists of
fault schedule, the Deterministic Safety Analysis (DSA) and the Probabilistic Safety Assessment
(PSA).
Draft initiating events for DSA and draft fault schedule have been developed on the basis of
Hitachi-GE practice as the start line of our discussion for Step 1 and 2. The further discussion about
draft initiating events and draft fault schedule will be presented in Section 2. The list of initiating
events will be developed using a systematic exercise, such as FMEA exercise, and fault schedule
will be developed based on Hitachi-GE practice for Japanese ABWR in Step 2. They will be
reassessed based on UK ABWR design and involve faults associated with spent fuel and so on in
Step 2 and 3, and be completed in Step 3.
In Section 3, scope of events assessed, acceptance criteria and analysis code for DSA are described.
In addition, examples of DSA performed based on Hitachi-GE practice are presented to explain that
the basic design policies of safety systems are adequate and acceptance criteria in Japan are met.
DSA for UK ABWR will be performed in Step 2-4. As the first step, DSA results for UK ABWR will
be provided in PCSR published in the end of Step 2. Also, a submittal plan of the documents
regarding DSA during Step 2 will be discussed.
In Section 4, requirement and assumption as high level information on method, some examples and
indicative results by PSA are described. Also, development plan of PSAs during GDA is discussed.
1. Introduction
Ver. 0
1
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
2. Fault Assessment
2.1 Approach
A systematic approach to plant safety is applied to UK ABWR for fault assessment. Initiating
events which lead to abnormal states will be identified systematically, auditably, and
comprehensively under all operating modes and configurations including partial power operation
and shutdown state, and impact of internal and external hazard. Initiating event that have an
initiating frequency higher than about 1×10-3pa is categorized as design basis frequent fault. Also,
initiating event that have an initiating frequency lower than about 1×10-3 pa and higher than about
1×10-5 pa is categorized as design basis infrequent fault.
For design basis fault, the fault schedule will be developed in order to provide a clear and auditable
linking of initiating events, fault sequences and safety measures.
DSA will be carried out for design basis faults to confirm the adequacy of the safety design and the
suitability and sufficiency of the safety measures against target 4 in HSE SAPs. Also, DSA will be
carried out for beyond design basis faults to demonstrate that the safety measures can control severe
plant condition such as frequent faults with common mode failure of engineered safety system or
additional failures beyond the single failure criterion applied to design basis faults against target 4 in
HSE SAPs. Fault sequences of beyond design basis faults will be analysed using realistic and best
estimate assumptions.
PSA will be carried out to evaluate the overall risk in order to confirm compliance with target 7, 8
and 9 in HSE SAPs and to understand the strengths and weakness of a safety design.
2.2 Fault Schedule
2.2.1 Identification of Initiating Events
(1) Initiating Events on Hitachi-GE practice
In this subsection, Initiating Events based on Japanese DSA practice by Hitachi-GE are provided for
an informational purpose only and final faults studies will consider all potential initiating events
consistent with HSE SAPs.
In Japanese practice, DSA of events shown below are performed to confirm the adequacy of the
safety design.
- Anticipated operational occurrences (AOOs), which are chosen, considering initiating
event frequency : 10-1 ~ 10-2~3 pa
• The events during reactor operation may lead to such conditions as deviate from
normal operation.
• The events are expected to occur once or several times during the operating life of
the nuclear reactor facility by single component failures, single component
2. Fault Assessment
Ver. 0
2
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
malfunctions or single misoperations or by disturbances with a similar probability
of occurrence.
- Design basis accidents (DBAs) , which are chosen, considering initiating event
frequency : 10-3 ~ 10-5 pa
• The events beyond AOOs.
• The events have quite small probabilities of occurrence.
• The events may potentially lead to the release of radioactive materials from the
nuclear reactor facility.
For AOOs, logic tree analysis is performed to identify PIEs which lead to the following abnormal
states as shown in Fig.2.2-1 ~ 2.2- 11. The representative initiating events to be analyzed in DSA are
selected in terms of qualitative severity.
1) Abnormal change in the reactivity or power distribution in the core
2) Abnormal change in heat generation or removal in the core
3) Abnormal change in reactor coolant pressure or reactor coolant inventory
On Hitachi-GE practice, shown below initiating events are identified as representative events of
AOOs for ABWR based on the logic tree analysis.
1) Abnormal change in reactivity or power distribution in the core
a. Control rod withdrawal error at reactor start-up
b. Control rod withdrawal error at power
2) Abnormal change in heat generation or removal in the core
a. Partial loss of reactor coolant flow (Trip of three reactor internal pumps)
b. Loss of off-site power
c. Loss of feedwater heating
d. Recirculation flow control failure (Runout of all reactor internal pumps)
3) Abnormal change in reactor coolant pressure or reactor coolant inventory
a. Generator load rejection with bypass / with failure of all bypass valves
b. Inadvertent MSIV(Main Steam Isolation Valve) closure
c. Feedwater controller failure – Maximum demand
d. Reactor pressure regulator in the open direction
e. Loss of all feedwater flow
For DBAs, logic tree analysis is performed to identify PIEs which lead to the following abnormal
states as shown in Fig.2.2-12 ~ 2.2-15. The representative initiating events to be analyzed in DSA
are selected in terms of qualitative severity.
2. Fault Assessment
Ver. 0
3
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
1) Loss of reactor coolant or considerable change in core cooling
2) Abnormal reactivity insertion or rapid change in reactor power
3) Abnormal release of radioactive materials to the environment
4) Abnormal change in pressure and atmosphere etc. in the primary containment
On Hitachi-GE practice, initiating events shown below are identified as representative events of
DBAs for ABWR based on the logic tree analysis.
1) Loss of reactor coolant or considerable change in core cooling
a. Loss of coolant (LOCA)
b. Loss of reactor coolant flow (Trip of all reactor internal pumps)
2) Abnormal reactivity insertion or rapid change in reactor power
a. Control rod drop
3) Abnormal release of radioactive materials to the environment
a. Offgas treatment system failure
b. Main steam line break (MSLBA)
c. Fuel assembly drop (Fuel Handling Accident)
d. Loss of coolant (LOCA)
e. Control rod drop
4) Abnormal change in pressure and atmosphere etc. in the primary containment
a. Loss of coolant (LOCA)
b. Generation of flammable gas
c. Generation of dynamic load
2. Fault Assessment
Ver. 0
4
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Abnormal State]
Abnormal change in the
reactivity or power
distribution in the core
Revision C
[Cause of Abnormal State]
Change in reactivity
Change in power
distribution
Change in coolant
temperature
Abnormal change in heat
generation or removal in
the core
Change in coolant flow
rate
Loss of power
Abnormal change in
reactor coolant pressure
or reactor coolant
inventory
Change in reactor coolant
pressure
Change in reactor coolant
inventory
[Postulated Disturbance]
Increase in reactivity
Decrease in reactivity
Distribution anomaly
Decrease in coolant temperature
Increase in coolant temperature
Decrease in coolant flow rate
Increase in coolant flow rate
Failure of Power supply system
Increase in reactor pressure
Decrease in reactor pressure
Decrease in reactor coolant inventory
Increase in reactor coolant inventory
Fig. 2.2-1 Logic Tree Analysis for Identification of Postulated Disturbance for
AOOs on Hitachi-GE Practice
2. Fault Assessment
Ver. 0
5
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Increase in
reactivity in
the core
Revision C
[Event]
[Initiating Event]
[Evaluation]
Increase in
reactor
recirculation flow
Evaluated in abnormal heat generation
or removal in the core
Decrease in
reactor coolant
temperature
Evaluated in abnormal heat generation
or removal in the core
Increase in
reactor pressure
Evaluated in Abnormal change in
reactor coolant pressure or inventory
Control rod
withdraw
Control rod
withdrawal error at
reactor start-up
Control rod withdrawal error at reactor
start-up (Representative event)
Control rod
withdrawal error at
power
Evaluated in abnormal change in power
distribution
Control rod drop
Control rod drop
DBA
: Reason why not select as a representative event
Fig. 2.2-2 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (1/10)
[Postulated
Disturbance]
[Event]
[Initiating Event]
Control rod
withdrawal
Power
distribution
anomaly
[Evaluation]
Control rod withdrawal
error at reactor start-up
Evaluated in increase in reactivity in
the core
Control rod withdrawal
error at power
Control rod withdrawal error at
power (Representative event)
Control rod drop
Control rod drop
Partial trip of
reactor
internal pumps
DBA
Core inlet flow distribution is
uniform in case of partial RIPs
operation
: Reason why not select as a representative event
Fig. 2.2-3 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (2/10)
2. Fault Assessment
Ver. 0
6
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Revision C
[Event]
Decrease in
feedwater
temperature
Decrease in
coolant
temperature
[Initiating Event]
[Evaluation]
Failure of High pressure
drain pump
Enveloped in Failure of feedwater
heater because of less decreasing in
feedwater temperature
Failure of feedwater
heater
Loss of feedwater heating
(Representative event )
Increase in
feedwater flow
Evaluated in Abnormal change in
reactor coolant inventory
Decrease in
reactor
pressure
Evaluated in Abnormal change in
reactor coolant pressure
Inadvertent
ECCS pump
start
Inadvertent RCIC pump
start
Enveloped in Loss of feedwater
heating because of less injection
flow than that of feed water
Inadvertent HPCF pump
start
Enveloped in Loss of feedwater
heating because of less injection
flow than that of feed water
: Reason why not select as a representative event
Fig. 2.2-4 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (3/10)
2. Fault Assessment
Ver. 0
7
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Revision C
[Event]
Failure of power
supply for reactor
internal pump
Decrease in
coolant flow
rate
Failure of
recirculation flow
control system
Failure of reactor
internal pump
Failure of reactor
internal pump
motor
Inadvertentstart of
recirculation pump
trip function
[Initiating Event]
[Evaluation]
Failure of a
normal mediumvoltage bus
Trip of 3 RIPs
Partial loss of reactor coolant
flow (Trip of 3 RIPs)
(Representative event)
Failure of all
normal mediumvoltage buses
Trip of 10 RIPs
Loss of reactor coolant flow
(Trip of All RIPs)
DBAs
Enveloped in loss of all normal
medium-voltage buses
Failure of several
inverters
Failure of a MG
set
Trip of 3 RIPs
Same as failure of a normal
medium-voltage bus
Failure of 2 MG
sets
Trip of 6 RIPs
Enveloped in failure of all
normal medium-voltage buses
Failure of main
controller
10 RIPs decrease
with 5%/sec
Enveloped in failure of a
normal medium-voltage bus
Failure of speed
controller
1 RIP decrease
with 10%/sec
Enveloped in failure of a
normal medium-voltage bus
1 RIP seizure or
shaft break
Enveloped in failure of all
normal medium-voltage buses
Trip of several
motors
Enveloped in failure of all
normal medium-voltage buses
DBA
DBAs
Enveloped in failure of all
normal medium-voltage buses
Fig.2.2-5 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (4/10)
2. Fault Assessment
Ver. 0
8
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Increase in
coolant
flow rate
Revision C
[Event]
[Initiating Event]
Inadvertent operation
of recirculation flow
control system
[Evaluation]
10 RIPs increase
with 5%/sec
Recirculation flow control failure
(Runout of all reactor internal pumps)
(Representative event)
Failure of speed 1 RIP increase
controller
with 10%/sec
Enveloped in main controller failure
Failure of main
controller
: Reason why not select as a representative event
Fig.2.2-6 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (5/10)
[Postulated
Disturbance]
[Event]
Loss of off-site
power
Failure of
power supply
system
[Initiating Event]
Failure of external
grid
[Evaluation]
Loss of off-site power
(Representative event)
Failure of a generator
main circuit
Loss of auxiliary
power
Failure of a normal
medium-voltage bus
Success of
buses switching
Enveloped in loss of off-site
power
Failure of a bus
switching
Enveloped in loss of reactor
coolant flow in decrease in
coolant flow rate
DBA
Evaluated in decrease in
coolant flow rate
: Reason why not select as a representative event
Fig.2.2-7 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (6/10)
2. Fault Assessment
Ver. 0
9
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Revision C
[Event]
[Initiating Event]
Turbine stop
valve closure
Enveloped in Generator load
rejection
Turbine control
valve fast closure
Generator load rejection
(Representative Event)
MSIV closure
Inadvertent MSIV closure
(Representative Event)
Reactor pressure
regulator failure
Turbine control
valve closure
Enveloped in G enerator load
rejection because the valve closure
speed is slower t han t hat in case of
generator load r ejection and
increase in pressure is mitigated by
opening bypass valve etc.
Decrease in reactor
free volume
Feedwater
controller failure
Evaluated in abnormal change
in reactor coolant inventory
Valve closure
Increase in
reactor pressure
[Evaluation]
: Reason why not select as a representative event
Fig.2.2-8 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (7/10)
[Postulated
Disturbance]
[Event]
Valve opening
Decrease in
reactor
pressure
Reactor pressure
regulator failure
Break of reactor
coolant pressure
boundary
[Initiating Event]
[Evaluation]
Inadvertent opening
of a safety relief
valve
Enveloped in reactor pressure
regulator failure because turbine
control valves are controlled to
maintain reactor pressure
Inadvertent opening
of a turbine control
valve
Enveloped in reactor pressure
regulator failure because other
turbine control valves are controlled
to maintain reactor pressure
Inadvertent opening
of a turbine bypass
valve
Enveloped in reactor pressure
regulator failure because turbine
control valves are controlled to
maintain reactor pressure
Maximum demand
signal generated
Reactor pressure regulator failure in the
open direction
(Representative event)
DBA
: Reason why not select as a representative event
Fig.2.2-9 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (8/10)
2. Fault Assessment
Ver. 0
10
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Revision C
[Event]
Decrease in
feedwater flow
rate
Decrease in
reactor coolant
inventory
Valve opening
[Initiating Event]
[Evaluation]
Failure of heater
drain pump
Enveloped in loss of all feedwater flow
All feedwater
pumps trip
Loss of all feedwater flow
(Representative event)
Feedwater
controller failure
Enveloped in loss of all feedwater flow
Failure of
condensate pumps
Enveloped in loss of all feedwater flow
Inadvertent opening of
a safety relief valve
Enveloped in loss of all feedwater flow
Break of reactor
coolant pressure
boundary
DBA
: Reason why not select as a representative event
Fig.2.2-10 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (9/10)
[Postulated
Disturbance]
[Event]
[Initiating Event]
Increase in
feedwater flow
Feedwater
controller failure
Feedwater controller failure –
Maximum demand
(Representative event)
Inadvertent
start of RCIC
Enveloped in Feedwater controller
failure because of less injection
flow rate
Inadvertent
start of HPFC
Enveloped in Feedwater controller
failure because of less injection
flow rate
Increase in
reactor coolant
inventory
Inadvertent
start of ECCS
[Evaluation]
: Reason why not select as a representative event
Fig.2.2-11 Logic Tree Analysis for Identification of Initiating Event for AOOs on
Hitachi-GE Practice (10/10)
2. Fault Assessment
Ver. 0
11
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
[Abnormal State]
[Cause of Abnormal State]
Change in coolant
inventory
Loss of reactor coolant or
considerable change in core
cooling
Change in coolant flow
rate
[Postulated Disturbance]
Decrease in Reactor coolant
inventory
Increase in Reactor coolant
inventory
Decrease in coolant flow rate
Increase in coolant flow rate
Increase in reactivity
Change in reactivity
Abnormal reactivity insertion
or rapid change in reactor
power
Decrease in reactivity
Change in power
distribution
Distribution anomaly
Fig.2.2-12 Logic Tree Analysis for Identification of Postulated Disturbance for
DBAs on Hitachi-GE Practice
2. Fault Assessment
Ver. 0
12
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Postulated
Disturbance]
Revision C
[Event]
[Initiating Event]
Failure of heater drain pump
Decrease in
feedwater flow
Trip of all feedwater pumps
Feedwater controller failure
Failure of condensate pump
Decrease in
reactor
coolant
inventory
Valve open
Break of
reactor coolant
pressure
boundary
Inadvertent opening of a SRV
[Evaluation]
Enveloped in Loss of all
feedwater flow
Loss of all feedwater flow
(Representative Event)
Enveloped in Loss of all
feedwater flow
Enveloped in Loss of all
feedwater flow
Enveloped in Loss of all
feedwater flow
Inadvertent opening of SRVs
Enveloped in MSLBA
RPV break
Very low frequency (IoF)
CRD housing break
Enveloped in LOCA
Vapor phase line break
Main steam line break
AOOs
LOCA -Feedwater line
LOCA -HPCF line
Liquid phase line break
LOCA -LPFL line
LOCA -RHR line
: Reason why not select as a representative event
LOCA -RPV bottom drain
line
Fig.2.2-13 Logic Tree Analysis for Identification of Initiating Event for DBAs on
Hitachi-GE Practice (1/3)
2. Fault Assessment
Ver. 0
13
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
[Abnormal State]
Revision C
[Event]
[Initiating Event]
Break of reactor
coolant pressure
boundary
Break of Pipe etc.
outside primary
containment
Release
from the
core
MSLBA
Fuel cladding not
damaged except LOCA
Change in coolant
flow rate
Fuel cladding not
damaged
Change in reactivity
Control rod drop
Change in power
distribution
Control rod drop
Fuel damage in
fuel handling
Fuel assembly drop
Gaseous radwaste
system failure
Pipe or Storage
tank etc. failure
Offgas treatment system
failure
Liquid radwaste
system failure
Pipe or Storage
tank etc. failure
Enveloped in Offgas treatment
system failure because liquid
and solid radwaste are harder
to release than gaseous one.
Abnormal release of
radioactive
materials to the
environment
Spent fuel
damage
: Reason why not select
as a representative event
LOCA
Change in coolant
inventory
Fuel cladding
damage
Failure of
Radwaste
system
[Evaluation]
Solid radwaste
system failure
Fig.2.2-14 Logic Tree Analysis for Identification of Initiating Event for DBAs on
Hitachi-GE Practice (2/3)
[Abnormal State]
Abnormal change in pressure
and atmosphere etc, in the
primary containment
[Initiating Event]
Break of reactor
coolant pressure
boundary
[Evaluation]
Increase in
reactor pressure
and temperature
LOCA
Generation of
Hydrogen and
Oxygen
Generation of flammable gas
Load in an
accident
Generation of dynamic load
Fig.2.2-15 Logic Tree Analysis for Identification of Initiating Event for DBAs on
Hitachi-GE Practice (3/3)
2. Fault Assessment
Ver. 0
14
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(2) Comparison with Initiating Events (IEs) in IAEA Safety Guide
Table 2.2-1 and Table 2.2-2 show comparison result between IEs in Hitachi-GE practice and IEs in
IAEA Safety Guide (NS-G-1.2).
As shown in Table 2.2-1, IEs of AOOs in Hitachi-GE practice are almost same as that in IAEA
Safety Guide. And not evaluated IEs are not severe, or low probability, or almost same as other event,
or could not to be occurred by actual operating procedure.
As shown in Table 2.2-2, IEs of DBAs in Hitachi-GE practice are almost same as that in IAEA
Safety Guide. And not evaluated IEs are enveloped in other events.
2. Fault Assessment
Ver. 0
15
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-1 Comparison with Initiating Events (IEs) of AOOs in IAEA Safety Guide
Group
Increase in reactor
heat removal
Typical examples of IEs leading to
AOOs in IAEA Safety Guide
(NS-G-1.2*)
Inadvertent opening of steam relief
valves
IEs in Hitachi-GE practice
Not included [
]
Feedwater system malfunctions
leading to an increase in the heat
removal rate
Included
Feedwater pump trips
Included
Not included in AOOs [
Reduction in the steam flow rate for
control malfunctions
Decrease in reactor
heat removal
Reduction in the steam flow rate for
main steam valve closure
Reduction in the steam flow rate for
turbine trip/loss of external load
Reduction in the steam flow rate for
loss of power
Reduction in the steam flow rate for
loss of condenser vacuum
Decrease in reactor
coolant system flow
rate
Reactivity and
power distribution
anomalies
]
Included
Included
Included
Not included [
]
Trip of one main coolant pump
Included
Inadvertent control rod withdrawal
Included
Not included [
Wrong positioning of a fuel assembly
]
*: NS-G-1.2 is replaced to SSG-2 now, but typical examples of IEs in NS-G-1.2 are more detailed
than those in SSG-2. So NS-G-1.2 is used in order to benchmark IEs in Hitachi-GE practice.
2. Fault Assessment
Ver. 0
16
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-2 Comparison with Initiating Events (IEs) of DBAs in IAEA Safety Guide
Group
Typical examples of PIEs leading to
DBAs in IAEA Safety Guide
(NS-G-1.2*)
PIEs in Hitachi-GE practice
Increase in reactor
heat removal
Steam line break
Included
Decrease in reactor
heat removal
Feedwater line break
Included
Trip of all main coolant pumps
Included
Decrease in reactor
coolant system flow
rate
Reactivity and
power distribution
anomalies
Increase in reactor
coolant inventory
Main coolant pump seizure or shaft
break
Not included [
]
Uncontrolled control rod withdrawal
Included
Control rod drop
Included
inadvertent operation of emergency
core cooling
Not included [
]
*: NS-G-1.2 is replaced to SSG-2 now, but typical examples of IEs in NS-G-1.2 are more detailed
than those in SSG-2. So NS-G-1.2 is used in order to benchmark IEs in Hitachi-GE practice.
2. Fault Assessment
Ver. 0
17
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(3) List of Initiating Events (IEs) for UK ABWR
As described above, IEs for DSA in Hitachi-GE practice are selected in terms of severity among IEs
identified by logic tree analysis. And IEs in Hitachi-GE IE practice are almost same as those in
IAEA Safety Guide.
As the first step in developing fault schedule for UK ABWR, the list of IEs in Hitachi-GE practice is
re-categorized into group of faults in PSA shown in Fig.2.2-8 to keep the consistency of DSA and
PSA. Also, as shown in Table 2.2-4, IEs of AOOs in Hitachi-GE practice are translated into frequent
faults and IEs of DBAs in Hitachi-GE practice are translated into infrequent faults for UK ABWR,
and IEs included in PSA are presented for reference. Draft description of identification of IEs for UK
ABWR will be provided early in Step 2. Also, the list of IEs for UK ABWR DSA will be completed
in Step 2 based on SAP principles shown in Table 2.2-3 below according to the initiating event
frequency and the corresponding potential consequences, that is, offsite/onsite radioactive dose.
Table 2.2-3 Faults and Events Category
[ This information is removed intentionally ]
2. Fault Assessment
Ver. 0
18
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
< Design Basis Faults>
Corresponding to
grouping of PSA
Transient
Reactor
Core
(Internal
initiating
event)
LOCA
Others
Non-isolation event
<Beyond Design Basis Faults>
(IE with Multiple Failures)
Isolation event
RPV Water level
decreasing event
Malfunction of control
rod system or RPS
ATWS
Loss of off-site power
Inadvertent opening
of a SRV
Loss of all DGs
Small
Medium
Large
Other type of LOCA
Loss of ECCS
Loss of all RHRs
Loss of ECCS
Radwaste system leak or failure
Misplaced fuel bundle accident
Fuel handling or cask drop accident
SFP accident
Fig. 2.2-8 Group of faults in PSA
2. Fault Assessment
Ver. 0
19
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
[
Table 2.2-4 List of Initiating Events for UK ABWR DSA and PSA (1/5)
No.
Section
Group
1.1
DSA
Frequent Faults
Infrequent Faults
PSA
Generator load rejection with bypass
Partial loss of reactor coolant flow
1.2
(Trip of three reactor internal pumps)
Loss of reactor coolant flow
1.3
(Trip of all reactor internal pumps)
1.4
Feedwater controller failure – Maximum demand
Recirculation flow control failure
1.5
1.6
Initiating Events
]
Transient
Non-isolation
event
(Runout of all reactor internal pumps)
Loss of feedwater heating
1.7
Turbine trip with bypass
1.8
Reactor pressure regulator failure in the closed direction
1.9
Inadvertent control valve closure
1.10
One reactor internal pump seizure or shaft break
1.11
Inadvertent HPCF pump start
1.12
Inadvertent one MSIV closure
2. Fault Assessment
Ver. 0
[ This information is removed intentionally ]
20
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-4 List of Initiating Events for UK ABWR DSA and PSA (2/5)
No.
Section
Group
Initiating Events
2.1
Inadvertent MSIV closure
2.2
Reactor pressure regulator failure in the open direction
2.3
Generator load rejection with failure of all bypass valves
Isolation event
2.4
2.5
[
DSA
Frequent Faults
Infrequent Faults
]
PSA
Inadvertent partial MSIV closure
Inadvertent turbine bypass valve opening
Transient
[ This information is removed intentionally ]
2.6
Turbine trip with failure of all bypass valves
2.7
Loss of main condenser vacuum
3.1
3.2
3.3
RPV Water
level
decreasing
event
Loss of all feedwater flow
Trip of one feedwater or condensate pump
Feedwater controller failure – Decreasing flow
2. Fault Assessment
Ver. 0
21
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-4 List of Initiating Events for UK ABWR DSA and PSA (3/5) [
]
No.
Section
Group
Initiating Events
4.1
Control rod withdrawal error at reactor start-up
4.2
Control rod withdrawal error at power
Malfunction of
4.3
DSA
Frequent Faults
Infrequent Faults
PSA
Control rod drop
control rod
4.4
4.5
system or RPS
Scram due to plant occurrences
Transient
4.6
5.1
5.2
Scram due to reactor protection system failure
[ This information is removed intentionally ]
Scram due to sensor failure of reactor protection system
Loss of off-site
power
Loss of off-site power
Loss of auxiliary power
Inadvertent
6.1
opening of a
Inadvertent opening of a SRV
SRV
2. Fault Assessment
Ver. 0
22
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-4 List of Initiating Events for UK ABWR DSA and PSA (4/5)
No.
Section
Group
Initiating Events
[
DSA
Frequent Faults
Infrequent Faults
]
PSA
Small LOCA
7.1
inside primary
LOCA –RPV bottom drain line break–
containment
Medium LOCA
8.1
LOCA –HPCF line break–
inside primary
8.2
containment
LOCA –LPFL line break–
8.3
Large LOCA
LOCA –Feedwater line break–
8.4
inside primary
LOCA –Main steam line break–
containment
LOCA –RHR Outlet line break–
8.5
LOCA
LOCA outside primary containment
9.1
9.2
9.3
9.4
[ This information is removed intentionally ]
–Main steam line break–
Other type of
LOCA
Interface system LOCA –RHR suction line–
Interface system LOCA –HPCF injection line–
Interface system LOCA –LPFL injection line–
2. Fault Assessment
Ver. 0
23
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 2.2-4 List of Initiating Events for UK ABWR DSA and PSA (5/5)
No.
Section
Group
Initiating Events
[
DSA
Frequent Faults
Infrequent Faults
]
PSA
Offgas treatment system failure
10.1
Radwaste
system leak or
10.2
(Gaseous radwaste system leak or failure)
Liquid radwaste system leak or failure
failure
10.3
11.1
Solid radwaste system leak or failure
Others
Misplaced fuel
Mislocated fuel bundle accident
11.2
bundle accident
Misoriented fuel bundle accident
12.1
Fuel handling
Fuel assembly drop
[ This information is removed intentionally ]
or cask drop
12.2
13
accident
Cask drop
SFP accident
TBD
2. Fault Assessment
Ver. 0
24
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
2.2.2 Description of Fault Schedule
Fault schedule identifies the protection systems and/or operator actions for each of the initiating events
listed as design basis frequent and infrequent faults.
For Step1 and 2, fault schedule have been developed based on data of Hitachi-GE practice for
Japanese ABWR. Table 2.2-5 shows examples of fault schedule based on Hitachi-GE practice for
Japanese ABWR.
It is recognized that the fault schedule described here is based on fault groups used in Japan and
elsewhere and does not include all contributing initiating events. A systematic exercise, such as
FMEA exercise will be undertaken in Step 2 to identify all the contributing initiating events for each
fault group.
The fault schedule will be reassessed as detail of UK ABWR design is determined and be extended
in consideration of all operating modes and configurations including partial power operation and
shutdown state, and impact of internal and external hazard in Step 2 and 3, and be completed in Step
3. Draft description of fault schedule and fault sequence will be provided early in Step 2.
The fault schedule will also be extended in Steps 2 and 3 to include faults associated with spent fuel
handling and storage and with radwaste handling and storage.
2. Fault Assessment
Ver. 0
25
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table2.2-5 Example of Fault Schedule based on Hitachi-GE practice
[
Draft
]
Item
Freq
(pry)
Initiating Event
1
Non-isolation event
1.1
Generator load rejection with bypass
[
Key Plant Impact
(including consequential loss)
]
Pressure boundary: Intact
Off-site power: Supplied
MS line: Not isolated
Feedwater & Condensate system:
Available
Turbine Control Valve Rapid Closure →
Reactor Scram → Reduced Pressure &
Decrease Temp →Cold shutdown
2
Isolation event
2.1
Inadvertent MSIV closure
[
]
[ This information is removed intentionally ]
Pressure boundary: Intact
Off-site power: Supplied
MS line: Isolated
Feedwater & Condensate system:
Unavailable
[ This information is removed intentionally ]
[ This information is removed intentionally ]
All MSIV closure → Reactor Scram →
Reduced Pressure & Decrease Temp →
Cold shutdown
3
RPV Water Level Decreasing Event
3.1
Loss of all feedwater flow
[
]
Pressure boundary: Intact
Off-site power: Supplied
MS line: Not isolated
Feedwater & Condensate system: Limited
(Condensate system only available)
Loss of all feedwater flow → Water level
decrease → Low water level 3 → Reactor
Scram → Reduced Pressure & Decrease
Temp →Cold shutdown
5
Loss of off-site power
5.1
Loss of off-site power
[
]
Pressure boundary: Intact
Off-site power: Not supplied
MS line: Not isolated
Feedwater & Condensate system:
Unavailable
Turbine Control Valve Rapid Closure ->
Reactor Scram -> Reduced Pressure &
Decrease Temp -> Cold shutdown
8
Medium LOCA inside containment
8.1
LOCA –HPCF line break–
[
]
[ This information is removed intentionally ]
Pressure boundary: Loss of coolant
accident
Off-site power:Not supplied
MS line: Isolated
Feedwater & Condensate system:
Unavailable
[ This information is removed intentionally ]
[ This information is removed intentionally ]
2. Fault Assessment
Ver. 0
26
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3. Deterministic Safety Analysis
DSA (Deterministic Safety Analysis) is carried out for design basis faults to confirm the adequacy of
the safety design and the suitability and sufficiency of the safety measures against target 4 in HSE
SAPs. Also, DSA is carried out for beyond design basis faults to demonstrate that the safety
measures can control severe plant condition such as frequent faults with common mode failure of
engineered safety systems or additional failures beyond the single failure criterion.
In this document, examples of DSA performed based on Hitachi-GE practice are described. DSA for
UK ABWR will be performed in Step2-4. It is recognized that it may be necessary to perform
transient analyses in response to comments or queries from ONR.
3.1 Scope of Assessment
The scope of IEs (Initiating Events) assessed in DSA includes frequent and infrequent design basis
faults and beyond design basis faults. As described in Section 2.2.1 (3), IEs assessed in DSA are
categorized as frequent and infrequent design basis faults and beyond design basis faults according
to SAP principle shown in Table 2.2-3.
As the first Step, Table 2.2-4 lists the IEs assessed for UK ABWR and their fault category according
to Hitachi-GE practice. Table 2.2-4 will be completed in Step 2 based on SAP principle above.
3.2 Criteria
3.2.1 Acceptance Criteria for DSA in Japan
The following acceptance criteria are used for AOOs (anticipated operational occurrences) and
DBAs (Design Basis Accidents). These acceptance criteria are determined from “Regulatory Guide
for Reviewing Safety Assessment of Light Water Nuclear Power Reactor Facilities (NSCRG:
L-SE-I.0)”[1] published by The Nuclear Safety Commission of Japan.
3.2.1.1
Anticipated Operational Occurrences
Acceptance criteria for AOOs are used to confirm that the reactor facility is designed such that
initiating event of AOOs does not lead damage of the core and that the plant condition after the event
allows return to the normal operation in Japan.
Acceptance criteria for AOOs are listed below.
1) The minimum critical power ratio (hereinafter called "MCPR") shall be larger than the
permissible limit value (safety limit MCPR).
2) Fuel cladding shall not be mechanically damaged. That is, the average plastic strain in the
circumferential direction of the fuel cladding shall not exceed 1%.
3) Fuel enthalpy shall not exceed the design limit (defined in “Regulatory guidelines in Reactivity
3. Deterministic Safety Analysis
Ver. 0
27
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Insertion Event Evaluation”[2] published by The Nuclear Safety Commission of Japan) in case
of reactivity insertion event.
4) Pressure on the reactor coolant pressure boundary shall be maintained below 110% of the
maximum allowable working pressure.
Regarding fuel safety limit, an objective for normal operation and AOOs of BWRs is to maintain
nucleate boiling and thus avoid a transition to film boiling for preventing the damage of fuel
cladding caused by overheating at boiling transition. The critical power ratio (CPR) is the figure of
merit used to express a thermal margin to the onset of boiling transition. This is defined as the ratio
of the critical power (bundle power at which some point within the bundle experiences onset of
boiling transition) to the operating bundle power. The thermal margin is stated in terms of the
minimum CPR (MCPR), which corresponds to the most limiting fuel assembly in the core. To assure
that safety limit MCPR is not exceeded during the most limiting AOOs, the MCPR should be
maintained above the operating limit MCPR which is evaluated by AOOs analysis and prescribed in
a technical specification for MCPR monitoring during a steady state plant operation as shown in
Fig.3.2-1.
MCPR through operating cycle
MCPR
Expected MCPR
1.0
Operating Margin
Operating limit MCPR(OLMCPR)
(OLMCPR=SLMCPR + ΔMCPRMAX)
Decrease of MCPR during
the most limiting AOOs (ΔMCPRMAX)
Uncertainties in manufacturing
and monitoring the core
operating state
Safety limit MCPR(SLMCPR)
Bundle power = Critical power
Fig. 3.2-1 MCPR Limits
3.2.1.2 Design Basis Accidents
Acceptance criteria for accidents are used to confirm that the nuclear reactor facility is designed such
that initiating event of DBAs does not lead to melting or considerable damage of the core, that any
secondary damage which may cause any other abnormal situations will not arise, that the protective
barrier against release of radioactive material is adequate to be able to limit the release of radioactive
materials to the environment as low as acceptable in Japan.
3. Deterministic Safety Analysis
Ver. 0
28
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Acceptance criteria for DBAs are listed below.
1) The core shall not be damaged considerably, and adequate coolable state of the core shall be
maintained.
The requirement in criterion (1) saying that adequate coolable state of the core shall be
maintained implies that the core shall keep such geometry as allows quantitative, or at least
semi-quantitative, assessment of the heat removal from the core, i.e. "coolable geometry". The
practical determination of conformance to this criterion shall in general be subject to the
following requirements specified in "Regulatory Guide for Evaluating Emergency Core Cooling
System Performance of Light Water Power Reactors"[3] published by The Nuclear Safety
Commission of Japan.
(a) The calculated maximum fuel cladding temperature shall not exceed l200°C.
(b) The calculated total oxidation of the fuel cladding shall not exceed 15% of the total cladding
thickness before oxidation.
2) Fuel enthalpy shall not exceed the limit value to prevent the generation of mechanical energy
(defined in “Regulatory guidelines in Reactivity Insertion Event Evaluation” published by The
Nuclear Safety Commission of Japan) in case of reactivity insertion event.
3) Pressure on the reactor coolant pressure boundary shall be maintained below 120% of the
maximum allowable working pressure.
4) Pressure on the reactor containment boundary shall be maintained below the maximum
allowable working pressure.
5) The radiological risk to the off-site public shall be acceptably low. That is, effective dose for the
public shall not exceed 5mSv.
3. Deterministic Safety Analysis
Ver. 0
29
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
3.2.2 Acceptance Criteria for UK ABWR
UK ABWR design should comply with target 4 in relation to DSA. HSE SAP (Safety Assessment
Principle) defines two types of safety level with different numerical targets. These are BSLs (Basic
Safety Levels) and BSOs (Basic Safety Objectives). The BSL must be met as a minimum. The BSOs
form benchmarks that reflect modern nuclear safety standards and expectations.
• Target
To confirm compliance with Target 4 of HSE SAPs, the effective dose received by any person
arising from a design basis fault sequence shall not exceed below target.
On-site
BSL: 20mSv for initiating fault frequencies exceeding 1 × 10-3 pa
200mSv for initiating fault frequencies between 1 × 10-3 and 1 × 10-3 pa
500mSv for initiating fault frequencies less than 1 × 10-4 pa
BSO: 0.1mSv
Off-site
BSL: 1mSv for initiating fault frequencies exceeding 1 × 10-3 pa
10mSv for initiating fault frequencies between 1 × 10-3 and 1 × 10-3 pa
100mSv for initiating fault frequencies less than 1 × 10-4 pa
BSO: 0.01mSv
3.2.2.1
Frequent Design Basis Faults
For frequent design basis faults in combination with principal safety measure success, basically, the
following intermediate targets will be applied. These intermediate targets mean that the integrity of
fuel cladding and the reactor coolant pressure boundary are maintained and radioactivity is not
released to environment.
• Intermediate Targets for frequent design basis faults with principal safety measure success
1) MCPR shall be greater than the safety limit MCPR.
2) Fuel cladding shall not be mechanically damaged. That is, the average plastic strain in the
circumferential direction of the fuel cladding shall not exceed 1%.
3) Fuel enthalpy shall not exceed the design limit (defined in “Regulatory guidelines in
Reactivity Insertion Event Evaluation” published by The Nuclear Safety Commission of
Japan) in case of reactivity insertion event.
3. Deterministic Safety Analysis
Ver. 0
30
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4) Pressure on the reactor coolant pressure boundary shall be maintained below 110% of the
maximum allowable working pressure.
However, for some frequent design basis faults with principal safety measure success that MCPR
leads to be less than the safety limit MCPR, the following intermediate targets will be applied. These
intermediate targets mean that the excess embrittlement of fuel cladding is prevented and the reactor
coolant pressure boundary and reactor containment boundary are maintained.
[
]
3.2.2.2
Infrequent Design Basis Faults
For infrequent design basis faults, the following intermediate targets will be applied. These
intermediate targets mean that excess embrittlement of fuel cladding is prevented and the reactor
coolant pressure boundary and reactor containment boundary are maintained.
• Intermediate Targets for infrequent design basis faults
1) The calculated maximum fuel cladding temperature shall not exceed l200°C.
2) The calculated total oxidation of the fuel cladding shall not exceed 15% of the total
cladding thickness before oxidation.
3) Fuel enthalpy shall not exceed the limit value to prevent the generation of mechanical
energy (defined in “Regulatory guidelines in Reactivity Insertion Event Evaluation”
published by The Nuclear Safety Commission of Japan) in case of reactivity insertion event.
4) Pressure on the reactor coolant pressure boundary shall be maintained below 120% of the
maximum allowable working pressure.
5) Pressure on the reactor containment boundary shall be maintained below the maximum
allowable working pressure.
3. Deterministic Safety Analysis
Ver. 0
31
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
3.2.2.3
Revision C
Beyond Design Basis Faults
For frequent design basis faults in combination with principal safety measure failure, the following
intermediate targets will be applied. These intermediate targets indicate that the excess embrittlement
of fuel cladding is prevented, and the reactor coolant pressure boundary and reactor containment
boundary are maintained.
• Intermediate Targets for frequent design basis faults with principal safety measure failure
1) The calculated maximum fuel cladding temperature shall not exceed l200°C.
2) Pressure on the reactor coolant pressure boundary shall be maintained below 120% of the
maximum allowable working pressure.
3) Pressure on the reactor containment boundary shall be maintained below the limiting
pressure.
4) Temperature on the reactor containment boundary shall be maintained below the limiting
temperature.
3.2.2.4
All faults
For all faults in UK ABWR, currently there are two acceptance criteria additional to the above under
consideration:
1) Once the reactor is shut down, the available SSCs (Structures, Systems, and Components)
shall prevent it returning to power. In the case of frequent faults, this means that, if the
reactor is shut down by the diverse provision of the reactivity control safety function, that
same diverse provision shall maintain sub-criticality as long as required.
2) Once the reactor is brought to a stable state, it shall be possible to bring the reactor to cold
shutdown conditions using the available SSCs. In the case of frequent faults, this means that,
if the reactor is cooled by the diverse provision of the ECCS function, that same diverse
provision or another provision that can be made available on the required timescale shall be
able to achieve cold shutdown conditions.
3. Deterministic Safety Analysis
Ver. 0
32
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
3.3 Analysis Code
This subsection shows the list of the computer codes to be used for DSA. Table 3.3-1 lists the
computer codes used for DSA in Japanese ABWR and the computer codes planned to be used for
DSA in UK ABWR. Brief description of the codes used in Japanese ABWR is presented below for
reference. Detailed description of the computer codes planned to be used in UK ABWR will be
provided in Step 2, including their validation.
Table 3.3-1 Computer Codes for DSA
NO.
1
2
3
4
5
Computer Code
Analysis
Item
Japanese ABWR
Transient
LOCA
PCV
Dose
Evaluation
Severe
Accident
UK ABWR
REDY
ODYN
SCAT
TASC
Three dimensional boiling water
Three dimensional boiling water
reactor simulation calculation code
reactor simulation calculation code
ISCOR
ISCOR
APEX
TRACG
LAMB
LAMB
SCAT
SCAT
SAFER
SAFER
Containment Pressure Response
Pressure Suppression Containment
Analysis Code
Analytical Code
Flammable Gas Density Analysis
Flammable Gas Density Analysis
Code
Code
Dose Assessment Calculation Code
RADTRAD
MAAP
MAAP
JASMINE
JASMINE
AUTODYN
AUTODYN
Note: The codes in item 1~3 are proprietary to GE-Hitachi and the codes in
item 4 and 5 are generally used in BWR analysis.
Item 5 in the table above relates to Section 3.6.2 of this document.
3.3.1 REDY
REDY, the plant dynamic characteristics analysis code, is for analysing the plant stability,
“anticipated operational occurrences” and the loss of reactor coolant flow. This code simulates the
3. Deterministic Safety Analysis
Ver. 0
33
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
entire plant including the reactor core, reactor pressure vessel (hereinafter referred to as the
“pressure vessel”), pressure vessel internals, reactor coolant recirculation system, main steam pipe,
turbine system, etc., and models one-point kinetic dynamics including 6 groups of delayed neutrons
and reactivity feedbacks, thermal dynamics of the fuel rods, and the thermal hydraulic behaviour of
coolant.
Once the initial conditions including the reactor outputs, reactor core inlet flow (hereinafter referred
to as the “core flow”), reactor, main steam pipe and other data, nuclear data, fuel rod data, various
control system data, etc. as major inputs are set, the changes in time of the reactor outputs, reactor
pressure, core flow, reactor water level, etc. are obtained as outputs.
3.3.2 SCAT
SCAT, the single-channel thermal hydraulic analysis code, is for analysing the thermal margin of
fuel in the cases of the “anticipated operational occurrences” and “accidents.” This code models a
single channel, which consists of multi nodes in axial one-dimension. With regard to each node, the
heat transfer to coolant is calculated by applying the heat equation for the fuel rods, and the thermal
hydraulic behaviour of coolant is calculated by applying the law of conservation of mass,
momentum and energy for coolant in the channel.
Once the core data including the geometrical form of the fuel assemblies, axial power distribution,
etc., initial conditions of the fuel assembly outputs, flow at the channel inlet, etc., transient data of
the fuel assembly outputs, flow at the channel inlet, etc. as major inputs are set, the changes in time
of the critical power ratio (CPR) based on the GEXL correlation formula, coolant flow at each node,
quality, etc. are obtained as outputs.
3.3.3 Three dimensional boiling water reactor simulation calculation code
The three-dimensional boiling water reactor simulation calculation code is for analysing the reactor
core nuclear thermal hydraulic characteristics of a boiling water reactor, and calculates the power
distribution and effective multiplication of the entire reactor with a three-dimensional diffusion
equation. In addition, based on such power distribution, the thermal evaluation calculation and
combustion calculation will be made. This code is used for a wide range of purposes such as
calculations for control rod operation plans, burn-up control, reactor shutdown margin, etc. For
calculation at the time of output operation, convergence calculation is made so as to produce power
distribution with void distribution taken into consideration, due to the generation of void.
Once the data representing the reactor core conditions including the geometrical form of reactor core,
nuclear constants obtained from the nuclear calculation of unit fuel assemblies, data necessary for
the thermal hydraulic calculation, control rod patterns, reactor core heat output, etc. as major inputs
are set, reactor core power distribution, void distribution, burn-up distribution, effective
3. Deterministic Safety Analysis
Ver. 0
34
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
multiplication ratio, etc. are obtained as outputs.
3.3.4 ISCOR
ISCOR, the reactor core thermal hydraulic analysis code, is for analysing the thermal hydraulic
characteristics in the reactor core at steady state, and calculates the thermal hydraulic characteristics
for each type of fuel assembly in the reactor core and for the entire reactor core.
In concrete terms, the distributions of fuel flow to each of fuel assemblies are obtained by iterative
calculations by using the designed power distributions, so that the differences between pressures at
the inlet and outlet of the fuel assembly will become equal for all the fuel assemblies, and the
thermal hydraulic characteristics including the thermal margin, reactor core pressure loss, etc. are
calculated.
Once the data representing the reactor core conditions including the reactor core heat output, core
flow, etc., data related to the power distribution, geometrical form of the fuel assemblies and other
data required for the thermal hydraulic calculations as major inputs are set, the critical power ratio,
pressure losses, void distributions, etc. are obtained as outputs.
3.3.5 APEX
APEX, the reactivity insertion event analysis code, is for analysing the abnormal withdrawal of
control rod and falling of control rod(s) at the time of reactor startup. This code assumes a thermal
phenomenon of heat insulation, expresses the transients in average reactor core power in a dynamic
characteristic equation by one-point kinetics, and expresses the special distribution of power at the
core in a two-dimension (R-Z) diffusion equation. It is assumed that the rise of enthalpy at each part
of the reactor core is in proportion to the power distribution, and that during the time when the
average enthalpy at the core rises to a certain extent (the enthalpy step), the power distribution
remains at a constant level. For inserted reactivity, the control rod value, scram reactivity and
Doppler reactivity are considered, and this Doppler reactivity is obtained in consideration of the
power distribution obtained by the two-dimensional diffusion calculation.
Once nuclear data including the geometrical form of the reactor core, various neutrons’ cross
sectional areas, diffusion coefficient, Doppler coefficient, reactor core dynamic characteristic
parameter, etc. as major inputs are set, the changes in time of the neutron flux distribution, enthalpy
distribution and average reactor core power are obtained as outputs.
3.3.6 LAMB
LAMB, the short-term thermal hydraulic transient analysis code, is for analysing the short-term
thermal hydraulic transients in the reactor, and can treat rupture accidents of various primary-system
piping connected to the pressure vessel. By dividing the pressure vessel and reactor coolant
3. Deterministic Safety Analysis
Ver. 0
35
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
recirculation system into seven nodes and solving an equation based on the law of conservation of
mass, momentum and energy, this code calculates changes in time in the mass, pressure and enthalpy
of coolant in each node, coolant flows between the nodes during the time span from the steady state
to several tens of seconds after the occurrence of the accident. For change in the reactor core flow,
responses in the flow caused by a coast down of the reactor coolant recirculation pump (hereinafter
referred to as the “recirculation pump”) from immediately after the rupture can be calculated.
Once the initial conditions including the reactor power, reactor core flow, etc., geometrical form and
various hydraulic quantities of the reactor, fuel assembly- and reactor core-related data, plant
transient characteristic parameters, recirculation pump characteristics, position and area of the
assumed rupture, etc. as major inputs are set, reactor pressure used for analysing the critical power
transient of the fuel rod under a blow-down state, change in time in reactor core flow and reactor
core inlet enthalpy, flow of bleed from rupture opening, etc. are obtained as outputs.
3.3.7 SAFER
SAFER, the long-term thermal hydraulic transient analysis code, is for analysing the long-term
thermal hydraulic transient in the reactor, and can treat rupture accidents of various primary-system
piping connected to the pressure vessel and loss of reactor coolant flow. This code, with the interior
of the reactor divided into nine nodes, calculates changes in the reactor pressure and water level of
each node. In addition, by inputting the performance characteristics of various emergency core
cooling systems (hereinafter referred to as the “ECCS”), this Code can evaluate the performance of
the systems. In evaluating the in-core coolant quantity, the phenomenon that coolant falls to the
plenum at the bottom of the core caused by the gas-liquid countercurrent flow limitation
phenomenon (hereinafter referred to as the “CCFL”) at the upper tie plate, core inlet orifice, etc. and
the localization of subcool area at the upper part of the core (CCFL breakdown) can be considered.
In addition, this code performs temperature calculations for fuel pellets, fuel cladding and channel
box etc. with regard to the average-power fuel assemblies and high-power fuel assemblies.
In
performing the temperature calculation for fuel cladding, the heat transfer coefficient reflecting the
cooling state of the tube, radiation between the fuel rods, and radiation of the fuel rods and channel
box can be considered.
Also, the chemical reaction of the fuel cladding and cooling water or steam (hereinafter referred to
as the “zirconium-water reaction”) is calculated by using the Baker-Just’s formula to obtain the
oxidized quantity of the surface. Further, by calculating the pressure inside the fuel rods, the
existence of any bulge and/or rupture in the fuel cladding is evaluated. In case that rupture has
occurred, zirconium-water reaction occurring inside the fuel cladding is also considered.
Once the initial conditions including the reactor power, reactor pressure, etc., the geometrical form
and various hydraulic quantities of the reactor, data related to the fuel assemblies and reactor core,
3. Deterministic Safety Analysis
Ver. 0
36
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
plant transient characteristic parameters, characteristics of ECCS, position and size of area of the
assumed rupture, etc. as major inputs are set, the reactor pressure, reactor water level, the highest
fuel cladding temperature, oxidized quantity of fuel cladding, etc. are obtained as outputs.
3.3.8 Short-term containment pressure response analysis code
The short-term containment pressure response analysis code is for analysing changes in the pressure
and temperature inside the containment during the period of a coolant blowdown immediately after
an LOCA. By dividing the containment into two nodes of drywell and suppression chamber and
resolving an equation based on the law of conservation of mass and energy, dynamic equation and
state equation, this code calculates the pressure and temperature inside the containment.
Conservatively, the exchange of heat with the instrumentation inside the containment is not
considered.
Once the initial conditions including the pressure, temperature, humidity at each part inside the
containment, free space area, flow-path area and flow-path resistance, and mass flow and energy
discharge quantity from the primary cooling system as major inputs are set, changes in time in the
pressure and temperature inside the containment are obtained as outputs.
3.3.9 Long-term containment pressure response analysis code
The long-term containment pressure response analysis code is for analysing changes in the pressure
and temperature inside the containment during a long period when the reactor containment spray
cooling system is in operation after the period of a coolant blowdown after an LOCA. By dividing
the containment into two nodes of drywell and suppression chamber and resolving an equation based
on the law of conservation of mass and energy, dynamic equation and state equation, this code
calculates the pressure and temperature inside the containment. Also, the ECCS model, containment
spray model and heat exchanger model are incorporated in this code.
Once the ECCS flow, containment spray flow, heat exchanger model capacity, seawater temperature,
etc. in addition to the initial conditions including the pressure, temperature, humidity at each part
inside the containment, free space area, flow-path area and flow-path resistance, and mass flow and
energy discharge quantity from the primary cooling system as major inputs are set, changes in time
in the pressure and temperature inside the containment are obtained as outputs.
3.3.10 Flammable gas concentration analysis code
The flammable gas concentration analysis code is for analysing the density of flammable gases at
each part inside the containment after an LOCA. By dividing the containment into two nodes of
drywell and suppression chamber, this code calculates changes in concentration of oxygen and
hydrogen for each node by the mass balance formula. The code determines gas movement between
3. Deterministic Safety Analysis
Ver. 0
37
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
nodes from the pressure balance formula. As the source of hydrogen and oxygen, zirconium-water
reaction (for hydrogen) and radiolysis of water (for oxygen) are considered. Also, a model of
flammable gas concentration controlling system is incorporated in this code.
Once the zirconium-water reaction rate, water radiolysis rate, flammable gas concentration control
system capacity, the initial conditions including the pressure, temperature, humidity, etc. at each part
inside the containment, free space cubage, flow-path area and flow-path resistance as major inputs
are set, the change in time in the hydrogen and oxygen density are obtained as outputs.
3.3.11 MAAP
MAAP, “Modular Accident Analysis Program” developed by EPRI, is a severe accident code that
simulates both thermal-hydraulic characteristics and radioactive-material behaviour in a nuclear
plant such as core damage, pressure vessel failure, containment failure, and environmental release of
radioactive material. After core damage occurs in the simulation, the pressure vessel and
containment are divided into three segments: primary, drywell, and wetwell, and the events to
sequentially occur during a sever accident are modelled such as reactor heat-up, oxidation of
cladding tube, core damage, behaviour of molten core (transfer, cooling, hydrogen and vapour
generation, interaction with concrete), containment overpressure and over-temperature, and
behaviour of radioactive material (release, transfer, and deposition). Because the water injection,
cooling, and control systems are modelled, the MAAP is capable of plant analysis during a severe
accident, such as automatic reactor trip and system response to personnel operation.
Once the initial conditions including the reactor power, reactor pressure, containment pressure and
temperature, etc., the geometrical form and various hydraulic quantities of the reactor, data related to
the fuel assemblies and reactor core, containment free-volume, flow-path area and flow-path
resistance, performance of water-injection and cooling systems, position and size of area of the
assumed rupture, etc. as major inputs are set, the reactor pressure, reactor water level, fuel
temperature, molten core temperature, containment pressure/temperature, quantity of eroded
concrete, radioactive-material distribution in the containment etc. are obtained as outputs.
3. Deterministic Safety Analysis
Ver. 0
38
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
3.4 Frequent Design Basis Faults
DSA for UK ABWR will be performed in Steps 2 and 3. Therefore, this section shows example of
analysis results for frequent design basis faults which have been performed base on Hitachi-GE
practice. These examples explain the sequence and progress of each fault based on the analysis
results. It will explain that the basic design policies of safety systems and safety related systems on
ABWR are adequate in order to meet acceptance criteria in Japan.
3.4.1 Evaluated Events
Regarding abnormal events, if these events occur and if nuclear facilities are left uncontrolled, they
may possibly cause excessive damages of the fuel and of the reactor coolant pressure boundary, the
typical events are selected from the viewpoint of confirming the design validity of components,
systems and equipments of safety protection systems, reactor shut down systems and so on.
In analysing abnormal operational transients, we will study them by dividing them into the following
main items:
In cases where two or more similar abnormal transients are present, the analysis
results will be given for the severest event selected as a typical example.
(1) Abnormal changes of reactivity or power distribution inside the core
a. Control-rod withdrawal during startup
b. Control-rod withdrawal during power operation
(2) Abnormal changes of heat generation or removal inside the core
a. Loss of partial recirculation flow
b. Loss of offsite power
c. Loss of feedwater heating
d. Malfunctioning of Recirculation Flow Control System
(3) Abnormal changes of reactor coolant pressure or of inventory of coolant kept in the reactor
a. Loss of load
b. Inadvertent MSIV closure
c. Failure of Feedwater Control System
d. Failure of pressure control devices
e. Loss of all feedwater flow
3.4.2 Analysis conditions
The main conditions used in analysis are given below.
(1) Unless explicitly stated otherwise, a reactor thermal power of 4,005 MW (approx. 102 % of
the rated power), a core inlet flow of 47.0 x 103 t/h (90% of the rated flow), a turbine main
steam flow of 7.82 x 103 t/h, a reactor pressure of 7.17 MPa[gage], and a reactor feedwater
3. Deterministic Safety Analysis
Ver. 0
39
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
temperature of 217 ℃ are assumed as the reactor initial conditions. The MCPR is assumed
as follows.
9×9 fuel (type A): 1.22
The maximum linear heat generation rate is assumed to be 44.0 kW/m throughout all the
core states.
(2) Unless explicitly stated otherwise, the recirculation flow control system is assumed to be in
the automatic operation mode. However, the manual operation mode is assumed if the
results for the manual operation mode are significantly severer.
(3) Unless explicitly stated otherwise, any single failure of safety systems which are required to
be actuated are assumed as single failure of the safety protection systems.
3.4.3 Analysis results
In this section, the analysis results of some transients chosen from the listed events in Section 3.4.1
are given below.
(1) Loss of partial recirculation flow
(2) Loss of feedwater heating
(3) Loss of load (generator load rejection)
(4) Inadvertent MSIV closure
(5) Loss of all feedwater flow
The analysis results of ‘Loss of partial recirculation flow’ and ‘Loss of feedwater heating’ chosen
from the ‘Abnormal changes of heat generation or removal inside the core’ are given below.
(1) Loss of partial recirculation flow
‘Loss of partial recirculation flow’ is chosen from Fig.2.2-5 in the Section 2.2.1(1), the plant
phenomenon is analyzed based on the event sequence shown in Fig.3.4-1. The analytical result is
shown in Fig.3.4-2.
When three recirculation pumps are tripped, the core flow will decrease rapidly, and the voids will
increase quickly.
Because of the increased voids, the reactor water level will rise, but will not
result in turbine trip by high reactor water level (Level 8), therefore, not leading to reactor scram. If
three recirculation pumps are tripped, the flow path resistance of the pumps on the normal side will
decrease, and the flow will increase to approx. 141 %. The flow of the tripped pumps will reverse in
approx. 0.8s, and the core flow will become approx. 85 % of the rating.
Although the neutron flux will increase to approx. 106% of the rated value with an increased value
in the normal side pump flow, the surface heat flux will not exceed the initial value. Against initial
MCPR 1.22, the maximum value of ΔMCPR will be 0.05 and MCPR during the transient is
3. Deterministic Safety Analysis
Ver. 0
40
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
maintained to a value of 1.17 or more. The dome pressure rises to approx. 7.18MPa[gage] slightly
beyond the initial value.
The event is converged as shown in analysis results. After the transient, the reactor can be operated
by 7 recirculation pumps. If necessary, reactor condition can be transferred to cold shutdown by
decreasing pressure and temperature of reactor following the normal shut down operation.
The acceptance criteria for this phenomenon are as shown in 1), 2) and 4) in “3.2.1.1".
Above-mentioned, the minimum/maximum values of MCPR and surface heat flux are satisfied the
each acceptance criteria. The maximum reactor dome pressure value is smaller than that one gotten
from ‘Loss of load’, so the maximum value of the pressure at reactor coolant pressure boundary is
satisfied the acceptance criteria.
(2) Loss of feedwater heating
‘Loss of feedwater heating’ is chosen from Fig.2.2-4 in Section 2.2.1(1), the plant phenomenon is
analyzed based on the event sequence shown in Fig.3.4-3. It is supposed that the operating control
mode of the Recirculation flow control system is manual for the severe analysis result. The analysis
result is shown in Fig.3.4-4.
It is supposed that the feedwater temperature will drop by 55 °C, because the one feedwater heater
loses its heating ability. As a result of loss of feedwater heating, the core inlet subcooling increases,
and the reactor power rises. The neutron flux increases to approx. 119 % of the rated value because
of the increase of the inlet subcooling. The surface heat flux also increases to approx. 118 % of the
rated value, the high neutron flux (corresponding to heat flux) scram signal is output, and reactor
scram occurs in approx. 91 seconds. Against initial MCPR 1.22, for the 9×9 fuel (type A), the
maximum value of the ΔMCPR is 0.15 and MCPR during the transient is maintained to a value of
1.07 or more.
The event is converged as shown in analysis results. Afterwards, reactor condition can be transferred
to cold shutdown by decreasing pressure and temperature of reactor following the scram (when
MSIVs are opened) shut down operation.
The acceptance criteria for this phenomenon are as shown in 1), 2) and 4) in “3.2.1.1".
Above-mentioned, the minimum/maximum values of MCPR and surface heat flux are satisfied the
each acceptance criteria. The maximum reactor dome pressure value is smaller than that one gotten
from ‘Loss of load’, so the maximum value of the pressure at reactor coolant pressure boundary is
satisfied the acceptance criteria.
The analysis results of ‘Loss of load’, ’Inadvertent MSIV closure’ and ‘Loss of all feedwater flow’
chosen from the ‘Abnormal changes of reactor coolant pressure or of inventory of coolant kept in the
reactor’ are given below.
3. Deterministic Safety Analysis
Ver. 0
41
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(3) Loss of load
‘Loss of load (specifically ‘Generator load rejection’)’ is chosen from Fig.2.2-8 in Section 2.2.1(1),
the plant phenomenon is analyzed based on the event sequence shown in Fig.3.4-5. There is very
small probability that turbine bypass valves are not activated when generator load rejection occurs.
However, it is assumed here that the turbine bypass valves are not activated in order to have severer
transients. So, the analysis result without turbine bypass is shown in Fig.3.4-6.
When generator load rejection occurs, rapid closure of the steam control valves causes reactor scram
and tripping of 4 of 10 recirculation pumps. The reactor pressure rises because of interruption of the
main steam, and a positive reactivity is injected into the core because of the decrease of the voids.
However, the decreased speed of voids is mitigated by tripping of the recirculation pumps, and a
negative reactivity is injected by the scram. Since it is assumed that the turbine bypass valves are not
activated, the transient will be severer than in cases where the turbine bypass valves are activated.
However, the increase of the neutron flux will be suppressed to approx. 138 % of the rated value.
The surface heat flux will not exceed its initial value. Against initial MCPR 1.22, the maximum
value of ΔMCPR is 0.15 and MCPR during the transient is maintained to a value of 1.07 or more for
the 9x9 fuel (type A). Since the turbine bypass valves are not activated, the reactor pressure will rise,
but it will be suppressed to approx. 8.32MPa[gage] (pressure at reactor coolant pressure boundary is
approx. 8.46MPa[gage]) by the activation of the safety/relief valves.
The reactor pressure is controlled by safety/relief valves.
The event is converged as shown in analysis results. Afterwards, reactor condition can be transferred
to cold shutdown by decreasing pressure and temperature of reactor following the scram (when
MSIVs are closed) shut down operation.
The acceptance criteria for this phenomenon are as shown in 1), 2) and 4) in “3.2.1.1".
Above-mentioned, the minimum/maximum values of MCPR, surface heat flux and pressure at
reactor coolant pressure boundary are satisfied the each acceptance criteria.
(4) Inadvertent MSIV closure
‘Inadvertent MSIV closure’ is chosen from Fig.2.2-8 in Section 2.2.1(1), the plant phenomenon is
analyzed based on the event sequence shown in Fig.3.4-7. The analysis result is shown in Fig.3.4-8.
If the main steam isolation valves close 10 % from the fully open position in approx. 0.3 second,
reactor scrams by the main steam isolation valve closure scram signal from the position detection
switches of the main steam isolation valves.
When the main steam is interrupted, the reactor pressure will rise, the voids will be decreased, and a
positive reactivity will be inserted into the core. However, the neutron flux and the surface heat flux
will not exceed their initial values because of the effects of the negative reactivity due to the main
3. Deterministic Safety Analysis
Ver. 0
42
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
steam isolation valve closure scram. The MCPR also will not drop below its initial value. The
reactor pressure will rise as the main steam isolation valves are closed. However, the safety/relief
valves will be activated approx. 2.4 seconds later, and the reactor pressure will be suppressed to
approx. 8.08MPa[gage].
When the main steam isolation valves are closed, the speeds of the turbine driven feedwater pumps
will drop, and the reactor water level will drop along with this. Since steam will still be generated by
the decay heat after the reactor scram, the reactor pressure will rise, and the safety/relief valves will
be opened intermittently.
The reactor water level will drop gradually. Actually, the reactor core isolation cooling system will
start up at a low reactor water level (Level 2) to prevent excessive dropping of the water level. The
reactor pressure is controlled by safety/relief valves. The event is converged as shown in analysis
results. Afterwards, reactor condition can be transferred to cold shutdown condition by decreasing
pressure and temperature of reactor following the scram (when MSIVs are closed) shut down
operation.
The acceptance criteria for this phenomenon are as shown in 1), 2) and 4) in “3.2.1.1".
Above-mentioned, the minimum/maximum values of MCPR and surface heat flux are satisfied the
each acceptance criteria. The maximum reactor dome pressure value is smaller than that one gotten
from ‘Loss of load’, so the maximum value of the pressure at reactor coolant pressure boundary is
satisfied the acceptance criteria.
(5) Loss of all feedwater flow
‘Loss of all feedwater flow’ is chosen from Fig.2.2-10 in Section 2.2.1(1), the plant phenomenon is
analyzed based on the event sequence shown in Fig.3.4-9. The analysis result is shown in Fig.3.4-10.
The reactor water level drops rapidly because of the discrepancy between the incoming flow of
feedwater into the pressure vessel and the outgoing flow of steam due to the loss of feedwater flow.
Therefore, reactor scram occurs in approx. 7.0 seconds in accordance with low reactor water level
scram (Level 3), and 4 of 10 recirculation pumps are tripped. Approx. 15 seconds later, the
remaining 6 recirculation pumps are tripped on account of low reactor water level (Level 2).
The transient will be a leisurely one because the reactor is already scrammed by this time, and the
power has decreased sufficiently. The neutron flux is kept down to approx. 105 % of the rated value,
and the surface heat flux and reactor pressure also does not exceed its initial value. The MCPR will
not drop below its initial value.
This transient has the severest water level drop of all the transients analyzed in this section. However,
even in this case, it is actually quite possible to recover the reactor water level with an adequate
margin with respect to Level 1.5, since the reactor core isolation cooling system starts up at a low
reactor water level (Level 2) to prevent the reactor water level from dropping. The event is
3. Deterministic Safety Analysis
Ver. 0
43
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
converged as shown in the analysis result. Afterwards, reactor condition can be transferred to cold
shutdown condition by decreasing pressure and temperature of reactor following the scram (when
MSIVs are opened) shut down operation.
The acceptance criteria for this phenomenon are as shown in 1), 2) and 4) in “3.2.1.1".
Above-mentioned, the minimum/maximum values of MCPR and surface heat flux are satisfied the
each acceptance criteria. The maximum reactor dome pressure value is smaller than that one gotten
from ‘Loss of load’, so the maximum value of the pressure at reactor coolant pressure boundary is
satisfied the acceptance criteria.
3.4.4 Review of conformance to acceptance criteria
In this section, some examples of frequent design basis faults are presented. According to these
analysis results, acceptance criteria for AOOs in Japan in Section 3.2.1 are met by safety systems on
Japanese ABWR. The adjustments for each criterion are shown below.
That is, the reactors are operated with the MCPR maintained at 1.22 or higher for the 9×9 fuel (type
A). Thus, the MCPR will not drop below the permissible limit value of 1.07 (safety limit MCPR)
even in the event of loss of feedwater heating, which is the severest transient.
Even in the event of abnormal control rod withdrawal during power operation, when there is the
severest surface heat flux of the fuel, the surface heat flux is approx. 120 % of the rated value, which
is below the surface heat flux 170 % corresponding to a 1% plastic strain of the fuel cladding.
In the event of abnormal control rod withdrawal at startup, the reactivity injected does not exceed
approx. $0.72, and the rise of the reactor power is also slow. Therefore, a reactivity insertion event
does not result, and there is no occurrence of fuel failure involving rapid adiabatic increases of the
fuel enthalpy.
The reactor pressure reaches its maximum in the event of loss of load (generator load rejection with
turbine bypass valves not activated). Even in this case, the maximum pressure is suppressed to
approx. 8.32MPa[gage] (pressure at reactor coolant pressure boundary is approx. 8.46MPa[gage]).
These values are considerably lower than the maximum operating pressure at reactor coolant
pressure boundary × 1.1 (9.48MPa[gage]).
3.4.5 Conclusion
As indicated in some examples of analysis results for frequent design basis faults based on
Hitachi-GE practice in Japan, ABWR can control its infrequent faults stably and ensure the integrity
of the fuel, the reactor coolant pressure boundary with the self regulation capability of the boiling
water reactor and the initiation of safety systems. Also, they meet acceptance criteria for AOOs in
Japan.
DSA for frequent design basis faults on UK ABWR will be performed to confirm the adequacy of
3. Deterministic Safety Analysis
Ver. 0
44
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
the safety design and the suitability and sufficiency of the safety measures against target 4 in HSE
SAPs in Step2.
3.4.6 Effect for Analysis Results by Deviations on Major Plant Specifications
Table 3.4-1 shows deviations on major plant specifications between Japanese, US, and UK ABWR
related to frequent design basis fault analysis.
3. Deterministic Safety Analysis
Ver. 0
45
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Sequence of Loss of partial recirculation flow
Fig.3.4-1 Sequence of Loss of partial recirculation flow
Fig.3.4-2 Analysis Result of Loss of partial recirculation flow [2]
3. Deterministic Safety Analysis
Ver. 0
46
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Sequence of Loss of feedwater heating
Feedwater heater loss
↓
Feedwater temperature decrease
(by less than 55℃)
↓
Core inlet subcooling increase
↓
Core void decrease
↓
Neutron flux increase
↓
Feedwater
Heater Loss
Scram
Fig.3.4-3 Sequence of Loss of feedwater heating
Neutron flux increase due to core inlet subcooling increase
Scram
Core inlet subcooling
increase
Time(sec)
1.
2.
3.
4.
6.
Neutron flux (%)
Fuel average surface heat flux (%)
Core inlet flow rate (%)
Feedwater flow rate (%)
⊿MCPR
Time(sec)
1.
2.
3.
4.
Reactor water level change from initial (x5cm)
Reactor pressure change from initial (x0.01MPa)
Core inlet subcooling (x5kJ/kg)
Turbine steam flow rate (%)
Fig.3.4-4 Analysis Result of Loss of feedwater heating [2]
3. Deterministic Safety Analysis
Ver. 0
47
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Sequence of Generator Load Rejection without Bypass
(*)Assume the turbine
bypass valve are not
activated
Load Rejection
(*)
Relief valve Neutron Flux
close Decrease
Fig.3.4-5 Sequence of Generator Load Rejection without Bypass
Pressure increase due to closure of control valve
Neutron flux spike due to void feedback
Scram
Relief valve open due to pressure
increasing
Main steam flow decrease due to
closure of control valve and
recover due to relief valve
Recirculation flow decrease due
to 4 of 10 RIPs trip
MCPR decrease due to flux
spike
1.
2.
3.
4.
6.
Time(sec)
Time(sec)
Neutron flux (%)
Fuel average surface heat flux (%)
Core inlet flow rate (%)
Main steam flow rate (%)
⊿MCPR
1.
2.
3.
4.
Reactor water level change from initial (x5cm)
Reactor pressure change from initial (x0.01MPa)
Turbine bypass valve flow rate (%)
Safety relief valve flow rate (%)
Fig.3.4-6 Analysis Result of Generator Load Rejection without Bypass [2]
3. Deterministic Safety Analysis
Ver. 0
48
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Fig.3.4-7 Sequence of Inadvertent MSIV closure
Fig.3.4-8 Analysis Result of Inadvertent MSIV closure [2]
3. Deterministic Safety Analysis
Ver. 0
49
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Fig.3.4-9 Sequence of Loss of all feedwater flow
Fig.3.4-10 Analysis Result of Loss of all feedwater flow [2]
3. Deterministic Safety Analysis
Ver. 0
50
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.4-1 Deviation on Major Plant Specifications related to frequent design basis fault analysis (1/5)
Item
1. Basic Operating Condition
(1)Thermal output(Rated)
(2)Core flow rate(Rated)
Japanese
Reference Plant
UK ABWR
US ABWR
(DCD Rev.4)
3926MW
3926MW
3926MW
52200t/h
52200t/h
52200t/h
(3)Feedwater temperature(Rated)
217 C
217 C
217 oC
(4)Reactor Pressure(at RPV dome)
7.07MPa[gage]
7.07MPa[gage]
7.07MPa[gage]
9×9 Fuel
10×10 Fuel
(GE14)
8×8 Fuel
2. Fuel Type
3. Nuclear Boiler System
(1)Main steam line volume
(2)Characteristic of Safety Valves
·Valve number
·Capacity
(3)Characteristic of Relief Valves
·Valve number
·Capacity
(4)Capacity of Bypass Valves
(5)MSIV Closure time
o
o
113.2m3*
7.92MPa×395t/h×2
7.99MPa×399t/h×4
8.06MPa×402t/h×4
8.13MPa×406t/h×4
8.20MPa×409t/h×4
7.51MPa×363t/h×1
7.58MPa×367t/h×1
7.65MPa×370t/h×4
7.72MPa×373t/h×4
7.79MPa×377t/h×4
7.86MPa×380t/h×4
113.2m3*
7.92MPa×460t/h×2
7.99MPa×464t/h×4
8.06MPa×468t/h×4
8.13MPa×472t/h×3
8.20MPa×476t/h×3
33%
33%
3−4.5seconds
3−4.5seconds
7.51MPa×422t/h×1
7.58MPa×426t/h×1
7.65MPa×431t/h×4
7.72MPa×434t/h×4
7.79MPa×438t/h×3
7.86MPa×442t/h×3
Note
[
]
113.2m3
7.92MPa×395t/h×2
7.99MPa×399t/h×4
8.06MPa×402t/h×4
8.13MPa×406t/h×4
8.20MPa×409t/h×4
7.51MPa×1
7.58MPa×1
7.65MPa×4
7.72MPa×4
7.79MPa×4
7.86MPa×4
*Minimum volume requirement.
Flow rates of UK ABWR safety
valves are larger than those of the
others,
which
mitigates
the
pressure increase more.
Flow rates of UK ABWR safety
valves are larger than those of the
others,
which
mitigates
the
pressure increase more.
33%
3−4.5seconds
3. Deterministic Safety Analysis
Ver. 0
51
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.4-1 Deviation on Major Plant Specifications related to frequent design basis fault analysis (2/5)
Item
4. Recirculation System
(1)Pump Characteristic
(2) Power supply configuration
5. RPV volume
6. Setpoints of RPS(Reactor
Protection System)
(1) High reactor pressure scram
(2) Low reactor water level scram
(Level 3)
(3) High neutron flux scram
·In terms of neutron flux
·In terms of heat flux
(4) Short reactor period scram
(5) Main steam isolation valve
closure scram
(6)Turbine main steam stop valve
closure scram
7. Scram insertion time
Japanese
Reference Plant
Same as reference
plant
ASD×10 (1/RIP)
MGset×2
Same as reference
plant
US ABWR
(DCD Rev.4)
Same as reference
plant
ASD×10 (1/RIP)
MGset×2
Same as reference
plant
7.52MPa[gage]
7.52MPa[gage]
7.62MPaG*
*Analysis condition
+62 cm from the
bottom of
separator skirt
+62 cm from the
bottom of
separator skirt
+57cm above
bottom of
separator*
*Analysis condition
120%
120%
125%
Reactor period of
10 s
90 % stroke
position
90 % stroke
position
1.44 s at 60 % of
full stroke
2.80 s at 100 % of
full stroke
Reactor period of
10 s
90 % stroke
position
90 % stroke
position
1.44 s at 60 % of
full stroke
2.80 s at 100 % of
full stroke
−
ASD×10 (1/RIP)
MGset×2
−
UK ABWR
*
85 % stroke
position*
85 % stroke
position*
1.44 s at 60 % of
full stroke
2.80 s at 100 % of
full stroke
3. Deterministic Safety Analysis
Ver. 0
Note
*Unconfirmed
*Analysis condition
*Analysis condition
52
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.4-1 Deviation on Major Plant Specifications related to frequent design basis fault analysis (3/5)
Item
8. Reactor high water level
(1) Level 8
·Turbine trip
9. Low reactor water level
(1)Level 3
·Trip of four RIPs
(2) Level 2
·Trip of six RIPs
(3) Level 1.5
·Closure of MSIVs,
·Initiation of HPCF
·Initiation of RCIC
·Initiation of emergency diesel
generators (Division II/III)
(2) Level 1
·Initiation of LPFL
·Initiation of emergency diesel
generators (Division I)
·Initiation of ADS
Japanese
Reference Plant
+166 cm from the
bottom of
separator skirt
+62 cm from the
bottom of
separator skirt
−58 cm from the
bottom of
separator skirt
UK ABWR
US ABWR
(DCD Rev.4)
+166 cm from the
bottom of
separator skirt
+62 cm from the
bottom of
separator skirt
−58 cm from the
bottom of
separator skirt
−203 cm from the
bottom of the
separator skirt
−203 cm from the
bottom of the
separator skirt
+1023.0 cm from
the bottom of RPV
−287 cm from the
bottom of the
separator skirt
−287 cm from the
bottom of the
separator skirt
+939.6cm from the
bottom of RPV
Note
+1389.3 cm from
the bottom of RPV
+1285.7 cm from
the bottom of RPV
+1168.1 cm from
the bottom of RPV
3. Deterministic Safety Analysis
Ver. 0
53
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.4-1 Deviation on Major Plant Specifications related to frequent design basis fault analysis (4/5)
Item
10. High Pressure Core Flooder
System (HPCF)
(1)Number of unit
(2) Flow rate (Rated)
11. Reactor Core Isolation Cooling
System (RCIC)
(1)Number of units
(2) Flow rate (Rated)
(3)Duration of loss of AC power
Supply
Japanese
Reference Plant
UK ABWR
US ABWR
(DCD Rev.4)
2units
2units
*
*Unconfirmed
182 m3/h (per
pump, at 8.115
MPa [dif]),
727 m3/h (per
pump, at 0.689
MPa [dif])
182 m3/h (per
pump, at 8.115
MPa [dif]),
727 m3/h (per
pump, at 0.689
MPa [dif])
*
*Unconfirmed
1unit
1unit
1unit
182 m3/h (per
pump, at 8.115～
1.034 MPa [dif])
182 m3/h (per
pump, at 8.115～
1.034 MPa [dif])
182 m3/h (per
pump, at 8.12～
1.03 MPa [dif])
[
]hr
[
]hr
3. Deterministic Safety Analysis
Ver. 0
*
Note
*Unconfirmed
54
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.4-1 Deviation on Major Plant Specifications related to frequent design basis fault analysis (5/5)
Item
12. Low Pressure Flooder System
(LPFL)
(1)Number of units
(2) Flow rate (Rated)
13. Automatic Depressurization
System (ADS)
(1)Number of valves
(2) Flow rate (Rated)
Japanese
Reference Plant
UK ABWR
US ABWR
(DCD Rev.4)
3units
3units
3units
0 m3/h (per pump,
at 1.551 MPa [dif]),
954 m3/h (per
pump, at 0.276
MPa [dif])
8units
0 m3/h (per pump,
at 1.551 MPa [dif]),
954 m3/h (per
pump, at 0.276
MPa [dif])
7units
2.903×106 kg/h
(per all valves)
2.903×106 kg/h
(per all valves)
Note
954 m3/h (per
pump, at 0.27 MPa
[dif])
3. Deterministic Safety Analysis
Ver. 0
*
*Unconfirmed
*
*Unconfirmed
55
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
3.5 Infrequent Design Basis Faults
DSA for UK ABWR will be performed in Steps 2 and 3. Therefore, this section shows examples of
analysis results for infrequent design basis faults, which have been performed on the basis of
Hitachi-GE practice. These examples explain the causes of the occurrence and the measures
implemented for preventing them, and also the safety function for each infrequent design basis fault.
In addition, they show the progress of the faults based on the analysis result. It will explain that the
basic design policies of safety systems and safety related systems on ABWR are adequate in order to
meet acceptance criteria in Japan.
3.5.1 Evaluated Events
In analysing accidents, we will study them by dividing them into the following main items:
1) Loss of reactor coolant or considerable change in core cooling
a. Loss of coolant (LOCA)
b. Loss of reactor coolant flow (Trip of all reactor internal pumps)
2) Abnormal reactivity insertion or rapid change in reactor power
a. Control rod drop
3) Abnormal release of radioactive materials to the environment
a. Offgas treatment system failure
b. Main steam line break (MSLBA)
c. Fuel assembly drop (Fuel Handling Accident)
d. Loss of coolant accident(LOCA)
e. Control rod drop
4) Abnormal change in pressure and atmosphere etc. in the primary containment
a. Loss of coolant (LOCA)
b. Generation of flammable gas
c. Generation of dynamic load
As an example, the analysis results of the following events chosen from the listed above are shown
in this section.
(1) Loss of coolant accidents (LOCA)
(2) Loss of reactor coolant flow accident (Trip of all Reactor Internal Pumps Accident) (APTA)
(3) Main steam line break accident (MSLBA)
(4) Abnormal Change in Pressure and Atmosphere etc. in the Primary Containment
(Analysis of Pressure and Temperature Responses of Containment Vessel)
3. Deterministic Safety Analysis
Ver. 0
56
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.5.2 Loss of Coolant Accidents (LOCA)
3.5.2.1 Causes
If one of the various pipes connected to the reactor coolant pressure boundary should break during
reactor operation for some reason, the reactor coolant leaks out of the pressure boundary or is lost.
In this case, if the coolant cannot be replenished, it becomes impossible to cool the core sufficiently,
and in the worst case, the fuel temperature rises excessively due to the decay heat, and fission
products may possibly be released from the fuel.
3.5.2.2 Measures to Prevent Accidents and to Mitigate Accidents
(1) Measures to Prevent Accidents
The following measures are adopted in design and in operation management for the purpose of
preventing the occurrence of LOCAs:
a.
In designing the piping, etc., severe conditions are to be applied, taking fully into
consideration the various types of stresses operating during the reactor life.
b. The selection and working of materials as well as the designing and fabrication of pipes, etc.
are to comply with the various codes and standards, and adequate quality controls are to be
carried out.
c.
The main sites are to be inspected during the period when the rector is in service, and their
integrity is to be checked.
d. The pipes, etc. which make up the reactor coolant pressure boundary are to have a design
which will prevent non-ductile break.
e.
In addition, monitoring by means of the leakage detection system is used to detect damages
before they develop into breaks, and suitable measures are to be taken.
These claims will be substantiated in the structural integrity subject area.
(2) Measures to Mitigate Accidents
If a LOCA should occur in spite of the above measures to prevent an accident, the following
measures will be applied to mitigate the accident:
a. The ECCS are provided for the purpose of preventing damages of the fuel cladding tubes large
enough to interfere with core cooling (large damages), suppressing the zirconium-water
reaction to a sufficiently low level, and removing the decay heat over a prolonged period.
3. Deterministic Safety Analysis
Ver. 0
57
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
a) The High Pressure Core Flooder Systems (hereinafter called the "HPCF"), the Reactor
Core Isolation Cooling System (hereinafter called the "RCIC"), the Automatic
Depressurization Systems (hereinafter called the "ADS") and the Low Pressure Flooder
Systems (hereinafter called the "LPFL") are provided in these reactors in order to
achieve the purposes mentioned above.
Even in cases where there will be the largest decrease of the amount of coolant retained,
such as a complete break of the pipe of the HPCF, depressurization inside the reactor will
not be accelerated to a degree corresponding to the decrease of the coolant. Therefore, the
HPCF and RCIC, which are able to inject water even with the reactor in a high pressure
state, will start at signals indicating a low reactor water level or a high drywell pressure and
will cool the core. Moreover, independently of the HPCF and the RCIC, the ADS will be
activated after a time delay of 30 seconds by simultaneous signals indicating a low reactor
water level and a high drywell pressure. By releasing reactor steam into the pool water of
the suppression chamber, they will lower the reactor pressure, making possible prompt
injection of water by the LPFL.
b) In the ECCS of these reactors, systems with different basic principles are provided
redundantly and independently to perform core cooling to deal with breaks of any area
of the pipes connected to the pressure vessel. This design aims at preventing the
core-cooling function from failing in the event of any single failure.
c) The ECCS power sources are designed with three diesel generators to supply power
even if no offsite power is available.
b. A containment installation is provided in order to hold in the coolant and radioactivity released
from the pressure vessel during a LOCA. The containment installation consists of a
pressure-suppression type containment vessel and the Reactor Area of the Reactor Building
(hereinafter called the "Reactor Area") surrounding the containment vessel.
a) The containment vessel has a design capable of withstanding the rise of the internal
pressure during a LOCA. It is designed to have a leakage rate of 0.4%/d or less (at normal
temperature, in air, at a pressure 0.9 times the maximum service pressure).
The containment vessel is provided with a Containment-Vessel Spray-Cooling System for
preventing the pressure and temperature inside the containment vessel from exceeding the
3. Deterministic Safety Analysis
Ver. 0
58
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
maximum service pressure and the maximum service temperature.
In addition, these reactors are provided with Flammability Control Systems for preventing
the flammable gases produced by radiolysis of water inside the containment vessel and by
the zirconium-water reaction from reaching their flammable limits.
b) Provisions are made for maintaining a negative pressure in the Reactor Area even during
an accident. Its ventilation rate is to be 50%/d. Standby Gas Treatment Systems are also
provided. They remove the iodine with a high efficiency before it is released through the
main stacks into the air.
3.5.2.3 Analysis of Accident Process
The break of HPCF pipe ends causes a peak of fuel cladding temperature. Hence, this accident is
analyzed in order to confirm the performance of an ECCS during the loss of reactor coolants.
(1) Analysis conditions
The analysis of the HPCF pipe ends rupture accident is carried out based on the following
assumptions.
a. The reactor is assumed to operate at about 102% of rated power (4,005MWt) and at 90% of
a rated core flow rate immediately before the accident.
b. The maximum liner heat generation rate of a fuel rod is assumed to be 102% of 44.0 kW/m
(operating limit). For a gap heat transfer coefficient between a fuel clad and pellet, a value that
will make the analysis result more conservative is used in consideration of variations in the
heat transfer during the cycle exposure.
c. For the decay heat after the shutdown of the reactor, a value determined from an equation that
incorporates a safety margin into actual measurements, is used. For reference, this equation
incorporates a decay heat of actinide.
d. Off-site power is assumed to be lost concurrently with the occurrence of the accident.
Consequently, a recirculation pump will instantly be tripped. The reactor scram is assumed to
be initiated by a signal of core flow rapid coastdown.
3. Deterministic Safety Analysis
Ver. 0
59
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
e. It is considered that a signal for high pressure of a drywell as a ECCS startup signal is
given earlier than a signal for a low water level in the reactor (Level 2 or 1), but ECCS is
assumed to conservatively start up at the signal for the low level.
f. A single failure is assumed in safety protection systems (scrams resulting from core flow rapid
coastdown) from the viewpoint of the capability of reactor shutdown.
g. The most conservative single failure is assumed in the ECCS network from the viewpoint of
the capability of reactor cooling. The most conservative single failure in the case of the HPCF
pipe break accident is a failure of a diesel generator that supplies power to an otherwise
functional high-pressure core injection system.
h. The leakage of coolant from the broken area is calculated based on a uniform critical flow
model.
i. In a safety and relief valve, the relief valve works earlier than the safety valve, but the safety
valve is assumed to work earlier.
For more information, major calculation conditions used for the analysis are shown in Table
3.5.2.1-1.
(2) Analysis results
a. Variations of core flow, reactor pressure, reactor water level and fuel cladding-tube
temperature
If there is a double-ended break of the HPCF lines, critical flow will occur at the HPCF
sparger nozzle part having the smallest area within the flow path from the HPCF sparger to the
rupture orifice.
If we suppose a loss of offsite power occurring simultaneously with the accident, the core flow
will decrease rapidly because of the shutdown of the recirculation pumps.
Due to the core flow rapid coastdown, the MCPR d rops below 1.07(Safety Limit MCPR) in
about 1 second after the accident, and boiling transition will occur as far as the fifth spacer
position from the top of the fuel assembly. Together with this, the heat-transfer rate from the
fuel cladding tubes to the coolant drops, and the fuel cladding-tube temperature rises. However,
3. Deterministic Safety Analysis
Ver. 0
60
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
the temperature rise of the fuel cladding tubes subsides within a short time because of the drop
of power due to reactor scram.
On the other hand, the water level inside the core shroud starts to drop after about 56 seconds.
However, the Reactor Core Isolation Cooling System is activated by low level (level 1.5)
signals of reactor water and starts water injection in about 120 seconds after the accident. The
Automatic Depressurization Systems also is activated by high pressure signals of drywell and
low level (level1) signals of reactor water in about 160 seconds after the accident to lower the
reactor pressure, and two Low-Pressure Flooder Systems begin to inject water in about 345
seconds. The water level inside the core shroud does not drop below top of the active fuel, and
the core is kept flooded. For this reason, rises of temperature of the fuel cladding tubes
because of core uncovering does not occur. That is, the fuel cladding-tube temperature does
not rise above the temperature rise accompanying the boiling transition immediately after the
accident.
Fig. 3.5.2-1 illustrates the changes in the core flow during these accidents, and Figs. 3.5.2-2
and 3.5.2-3 illustrate the changes in the reactor water level and the reactor pressure. Fig.
3.5.2-4 illustrates the time variations of the fuel cladding tube temperature. The highest fuel
cladding temperature during these accidents is about 600 degree-C.
b. Rupture and oxidation of fuel cladding tubes
Rupture of the fuel rods occurs when the temperature of the fuel cladding tubes rises after an
accident until the circumferential stress of the fuel cladding tubes due to internal pressure
exceeds the tensile strength at that temperature.
Fig. 3.5.2-5 shows that the fuel cladding-tube temperature is about 600 degree-C or less during
a double-ended break of the HPCF lines. On the other hand, in the fuel rods of this reactor, the
maximum calculated difference between the internal and the external pressures is about 5MPa.
Since the circumferential stress at this time is approximately 3×101 N/mm2, rupture does not
occur in the fuel rods, as is clear from Fig. 3.5.2-5.
There is very little increase in the thickness of the oxide layer on the fuel cladding tubes
because of the low temperature of the fuel cladding tubes. Moreover, the zirconium-water
reaction fraction in all of the fuel cladding tubes is negligibly small.
c. Summary of analysis results
When the severest single failure during a LOCA is assumed, the fuel cladding temperature is
highest in the case of a double-ended break of the HPCF lines, which is approx.600 degree-C.
Since there is very little increase in the thickness of oxide layer on the fuel cladding tubes, the
fuel cladding tubes will not lose their ductility. Moreover, rupture will not occur in any of the
3. Deterministic Safety Analysis
Ver. 0
61
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
fuel rods, the zirconium-water reaction fraction of all the fuel cladding tubes will be negligibly
small.
Removal of the decay heat of the long half-life nuclides over a prolonged period assured if one
of the ECCS pumps is activated.
In the case of partial breaks of the HPCF lines or of breaks of various other lines, the
temperature of fuel cladding tubes will be less than in the case of a double-ended break of the
HPCF lines. Thus, they are included within the analysis results for double-ended breaks of the
HPCF lines.
In these analyses, it is assumed that offsite power is lost simultaneously with the accident.
However, the results are included within these analysis results even if the offsite power is not
lost during an accident.
3.5.2.4 Review of Conformance to Acceptance Criteria
As indicated in “3.5.2.3 Analysis of accident process”, the highest value of the fuel cladding
temperature is 1,200°C or lower, and therefore, there are no fuel rods that would be ruptured, and the
increase in the thickness of oxidized layer of the fuel cladding is 15% or less of the thickness of the
fuel cladding at time before the oxidization reaction becomes significant.
In addition, since the rate of zirconium-water reaction of the entire fuel cladding is at a negligible
level, the quantity of hydrogen generated by the reaction is low enough from the viewpoint of
securing the integrity of the containment.
The removal of decay heat over a long period of time will be secured if one of the pumps of the
ECCS other than the reactor core isolation cooling system is actuated.
Therefore, the criteria in Japan described in “3.2.1.2 Design Basis Accidents” are met.
3.5.2.5 Assessment of Emissions and Dose Equivalents of Fission Products
3.5.2.5.1 Emissions of Fission Products
(1) Analysis conditions
The migration and emission of fission products during the accident is calculated based on the
following assumptions.
a.
The reactor is assumed to operate for a sufficiently long time (2,000 d) at about 102% of
nominal power (4,005MWt) just before the accident.
3. Deterministic Safety Analysis
Ver. 0
62
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
b. The concentrations of fission products in the coolant before the accident are assumed to
be equivalent to 1.3 × 103Bq/g, or the operational allowable maximum concentration of
I-131. The composition of the products is assumed to be a diffusion composition.
c.
As shown in "3.5.2.3 Analysis of Accident Process", there are no additional broken fuel
rods after the accident. Consequently, additional emission of I-131 from the fuel rod that is
caused by a decrease in reactor pressure after the accident is assumed to be 3.7 × 1013Bq/g,
or an average of past actual measurements in the existing plants plus a proper margin. The
composition of other fission products is assumed to be an equilibrium composition. An
emission of noble gas is assumed to be twice larger than that of iodine.
d. Organic iodine is assumed to be 4% of additional iodine from the fuel rod, while 96% of the
iodine is assumed to be inorganic.
e.
50% of inorganic iodine is assumed to be deposited on the inside of the containment, and is
assumed not to contribute to the leakage. Furthermore, the iodine is removed by the water
spray system in the containment, or dissolved into a pool in the suppression chamber. A rate
of the removed or dissolved iodine is assumed to be 100 as a partition coefficient. Organic
iodine and noble gas is assumed not be removed or dissolved.
f.
The natural decay of fission products in the containment is assumed to be allowed for.
g. A rate of leakage from the containment is assumed to be a leakage percentage that
corresponds to a pressure in the containment during the accident, plus a proper margin.
Emissions of fission products that are caused by the leakage of pool water in the
suppression chamber, and led by ECCS outside the containment, are much smaller than
emissions of the products leaked from a gas phase in the containment, and are not a
significant contributor to the leakage. Consequently, the assessment of these emissions is
assumed to be omitted.
h. A heating, ventilating and air conditioning system for reactor and turbine areas that works
during normal operation is assumed to be switched to a standby gas treatment system at a
signal of a low water level in the reactor, for high pressure in a drywell, or for high activity in
the reactor area. The deposition of fission products on floors and walls in the reactor area is
disregarded. Only the natural decay of the products is assumed to be allowed for.
3. Deterministic Safety Analysis
Ver. 0
63
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
i.
Revision C
A design value of 99.99% is used for the efficiency of iodine removal by a filter in the
standby gas treatment system.
j.
A value defined in the design (0.5 times/d) is used for the capacity of the standby gas
treatment system.
k. When effective dose equivalents by direct and skyshine from fission products in the reactor
area are evaluated all of the fission products leaked from the containment to the reactor area
is assumed to be uniformly distributed in the area. However, direct and skyshine γ rays from
fission products in the containment are sufficiently shielded by primary shielding in the
reactor, and are not a significant contributor to the assessment of effective dose equivalents.
Consequently, they is assumed to be excluded from radioactive sources in the reactor area
l.
An assessment period after the accident is a period lasting (or an indefinitely longer period
in terms of conservatism) until internal pressure in the containment is decreased to the
extent where the leakage from the containment becomes negligible.
m. Fission products leaked from the containment to the reactor area is treated by the standby
gas treatment system, and then released from an exhaust opening in the system into the air.
n. A single failure is assumed in dynamic equipment of the Stand-by Gas Treatment system
from the standpoint of radioactivity confinement.
(2) Analysis results
Emissions of fission products into the atmosphere that are calculated based on the above analysis
conditions are shown in Table 3.5.2-2.
Also, the processes of release of noble gas and iodine into the atmosphere are shown in Fig. 3.5.2-6
and Fig. 3.5.2-7.
3.5.2.5.2 Assessment of dose equivalent
(1) Analysis assumptions
The fission products emitted into the atmosphere is assumed to be released from an exhaust opening
in the standby gas treatment system. Off-site effective dose equivalent that is given by the fission
products emitted, and those that is given by direct and skyshine rays from the fission products in the
reactor area is calculated based on the following assumptions.
3. Deterministic Safety Analysis
Ver. 0
64
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
a.
Revision C
The concentrations in the air on the ground surface outside the site boundary are determined
by multiplying the relative concentration of such plant by the total released amount of
nuclear fission products.
b. The gamma-ray air absorption dose due to noble gas outside the site boundary is assumed to
be determined by multiplying the relative dose of such plant by the total release of noble gas
c.
Effective dose equivalents by direct and skyshine γ rays from fission products are
determined based on source intensities of accumulated γ rays that are provided by the
fission products in the reactor and in consideration of the shielding of the reactor building.
(2) Assessment results
Off-site effective dose equivalent is assessed based on the above analysis assumption. The result is
shown in Table 3.5.2-3. This dose is based on assumptions generally used in Japanese assessments
and should only be taken as indicative. It is recognized that the calculated doses will differ when
calculated using UK assumptions and practice
Judging from the above values, a risk of s radiation exposure to the surrounding public by this
accident is considered to be sufficiently small.
3. Deterministic Safety Analysis
Ver. 0
65
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.5.3 Loss of Reactor Coolant Flow Accident (Trip of all Reactor Internal Pumps
Accident) (APTA)
3.5.3.1 Causes
It is assumed that all reactor internal pumps trip simultaneously during reactor power operation due
to failure of the power source buses or some other cause.
3.5.3.2 Measures to Prevent Accidents and to Mitigate Accidents
(1) Measures to Prevent Accidents
The following measures are adopted in design and in operation management for the purpose of
preventing the occurrence of loss of reactor coolant flow accident:
a.
Two or three of the ten recirculation pumps are each connected to four different systems of
medium voltage buses for normal use. This is done so as to prevent four or more pumps from
shutting down simultaneously because of a single failure of a medium voltage bus for normal
use. These buses are configured so that they are supplied from a generator-side power source
during normal operation of the reactor, and they are still supplied from a starting transformer
even if the generator-side power source is interrupted.
b. Static power-source devices for the recirculation pumps supply power to the motors
driving the recirculation pump. These devices are independently connected to each of the ten
recirculation pumps. This configuration makes it impossible for two or more pumps to shut
down simultaneously because of a single failure of the power-source devices.
c.
The main sites are inspected during the period when the reactor is in service, and their
integrity is checked.
(2) Measures to Mitigate Accidents
Even should an all RIPs trip accident occur in spite of the above measures to prevent accidents, the
reactor power will decrease on account of the large negative void reactivity coefficient, and it will
be terminated by means of reactor scram and turbine trip. Thus, there is no concern that the accident
will proceed after that.
3.5.3.3
Analysis of Accident process
(1) Analysis conditions
a.
The reactor is assumed to operate at about 102% of rated power (4,005 MWt) and at a 90%
core flow rate (47,000t/h) immediately before the accident.
3. Deterministic Safety Analysis
Ver. 0
66
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
b. The maximum liner heat generation rate of a fuel rod is assumed to be 102% of 44.0 kW/m
(operating limit). For a gap heat transfer coefficient between a fuel clad and pellet, a value
that will make the analysis result more conservative is used in consideration of variations in
the heat transfer during the cycle exposure.
c.
A design value for a half time of pump speed that corresponds to a rated core flow rate of a
circulation pump and that of the motor driving the pump is about 0.7 seconds, but a value
10% smaller than this time (0.62 seconds) is used for this analysis so as to give more
conservative results.
d. The reactor scram is assumed to be initiated by a signal of core flow rapid coastdown.
e.
A single failure is assumed in safety protection systems (scrams resulting from core flow
rapid coastdown) from the viewpoint of the capability of reactor shutdown.
f.
In a safety and relief valve, the relief valves work earlier than the safety valves, but the only
safety valves are assumed to work.
g. Non-operation of turbine bypass valves is assumed so as to give more conservative result.
(2) Analysis results
Fig.3.5.3-1 shows responses at the loss of a reactor coolant flow. When all recirculation pumps
concurrently are tripped, the core flow rate is rapidly decreased. About 2 seconds later, a signal of
the rapid coast down in the core flow rate is occurred and causes the scram of the reactor.
Consequently, neutron and surface heat fluxes do not exceed their initial values.
On the other hand, water level in the reactor rises, and turbine trip is occurred at 3 seconds later by a
high water level in the reactor (Level 8). The turbine trip increases the reactor pressure, but the
scram of the reactor and the operation of a safety valve controlled the pressure to about
8.23MPa[gage].
Due to the core flow rapid coastdown, the MCPR drops below 1.07 (safety limit MCPR) about 1
second after the accident, resulting in boiling transition (BT) from the upper fuel assembly to the
forth spacer. However, the increase in temperature is stopped after a short time because the scram
reduces the power. Fig.3.5.3-2 shows variations in the peak cladding temperature. The peak cladding
temperature during this accident is about 563 degree-C.
The external pressure is kept higher than the internal pressure in the fuel rods of this reactor during
3. Deterministic Safety Analysis
Ver. 0
67
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
the accident. Consequently, the circumferential stress does not rupture the fuel rods. Furthermore,
the increase of an oxidized layer on the fuel clad is significantly small because the temperature of the
cladding is low.
As indicated in the analysis result, the event ends. Afterwards, the reactor can be transferred to cold
shutdown by pressure reduction and temperature drop according to the procedures for reactor
shutdown at a reactor scram (during closing of the main steam isolation valve).
3.5.3.4
Review of Conformance to Acceptance Criteria
The criteria applying to this accidents are 1) and 3) in Section 3.2.1.2.
As indicated in “Analysis results", the maximum value of the fuel cladding temperature 1,200
degree-C or less; and the zirconium-water reaction fraction is 15% or less of the cladding-tube
thickness before the oxidation reaction becomes pronounced. Therefore, 1) is met.
Reactor pressure (reactor vessel dome pressure) goes about 8.23MPa[gage]. So, pressure to reactor
coolant pressure boundary stays below 120% of maximum allowable working pressure. Therefore,
3) is met.
Therefore, the criteria in Japan described in “3.2.1.2 Design Basis Accidents” are met.
3. Deterministic Safety Analysis
Ver. 0
68
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.5.4 Main Steam Line Break Accident (MSLBA)
3.5.4.1 Causes
If a main-steam line break outside the containment should occur due to some causes during reactor
operation, the reactor coolant begins to flow out from the broken area, and fission products may be
released to the environment.
3.5.4.2 Measures to Prevent Accidents and to Mitigate Accidents
(1) Measures to Prevent Accidents
The following measures are adopted in design in operation management for the purpose of
preventing the occurrence of main steam line break accidents:
a.
In designing the piping, etc., conditions are to be applied taking fully into consideration the
various types of stresses occurring during the reactor life.
b. The selection and working of materials as well as the designing and fabrication of pipes, etc.
are to comply with the various codes and standards, and adequate quality controls are to
be carried out.
c.
Detection of the atmospheric temperature inside the main-steam pipe tunnels and other
methods are to be used to detect damages before they develop into breaks, and suitable
measures are to be taken.
(2) Measures to Mitigate Accidents
If an accident should occur in spite of the above measures to prevent accidents, the following
measures will be applied to mitigate the accident:
a.
Flow limiters are provided on the steam outlet nozzles of the reactor pressure vessel. They
limit the amount of coolant flowing out during an accident.
b. By signals such as those indicating a large main steam line flow, a high temperature in the
main-steam line tunnels, a high radioactivity in the main steam line or a low main steam line
pressure, the main steam isolation valves (MSIVs) installed on both sides of the drywell
penetrations of the main steam lines are closed automatically to stop release of coolant.
3.5.4.3 Analysis of Accident Process
(1) Analysis conditions
The analysis is carried out based on the following assumptions.
3. Deterministic Safety Analysis
Ver. 0
69
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
a.
Revision C
The reactor is assumed to operate at about 102% of rated power (4,005 MWt) and at 111%
of a rated core flow rate immediately before the accident.
b. The maximum liner heat generation rate of a fuel rod is assumed to be 102% of 44.0 kW/m
(operating limit). For a gap heat transfer coefficient between a fuel clad and pellet, a value
that will make the analysis result more conservative is used in consideration of variations in
the heat transfer during the cycle exposure.
c.
On the assumption that instantly double-ended break of one of four main steam lines is
assumed outside the containment, friction loss to the broken area is not allowed for when a
quantity of coolants released is assessed.
d. A main steam isolation valve is assumed to be completely closed 5 seconds (including a
0.5 second operation delay time) after the accident at a signal of a maximum flow rate in a
main steam line.
e.
The reactor scram is assumed to be initiated by a signal of main steam isolation valve
closure.
f.
A rate of released flow is assumed to be controlled to 200% of a rated flow rate by a flow
limiter until the flow rate is limited by the isolation valve.
g. A critical flow is calculated based on the critical flow model of Moody.
h. Off-site power is assumed to be lost concurrently with the occurrence of the accident.
Consequently, reactor internal pumps are instantly tripped.
i.
A single failure is assumed in safety protection systems (scram for closing the main steam
isolation valve at a signal of a high flow rate in the main steam pipe) from the viewpoint of
the capability of reactor shutdown.
(3) Analysis results
When a double-ended break of one of four main steam lines occurs instantly, steam in the broken
pipe is leaked directly from the upstream broken end of the pipe. On the other hand, steam moving
through the other three undamaged pipes counterflowed through the broken pipe via an
interconnector upstream from the turbine stop valve, and is discharged from the downstream broken
3. Deterministic Safety Analysis
Ver. 0
70
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
end.
The amount of steam discharged from the upstream broken area of the pipe increases from about
102% of a rated flow rate immediately before the accident to about 4244 kg/s, equivalent to a critical
flow at a main steam pipe nozzle. Due to that this value exceeds the rate of steam generated at the
core, reactor pressure is reduced. The reduced pressure increases a void in the reactor. As a result,
water level in the reactor increases, and the water level reaches the main steam pipe nozzle in about 2
seconds. After that, a two phase flow is discharged into the main steam pipes.
The main steam isolation valves are completely closed 5 seconds (including a 0.5 second operation
delay) after the accident at a signal of a high flow rate in the main steam pipe, but a signal for the
closing of the valve is generated about 1 second after 10% closing of the valve, resulting in the
reactor scram. Time variations of amount of discharged coolant during the accident, average core
pressure and core flow rate are shown in Fig. 3.5.4-1 and Fig. 3.5.4-2.
Amounts of steam and water discharged from the broken area until full closing of the main steam
isolation valves represent the following values.
Steam :
approximately 1.6 × 104 kg
Water :
4
approximately 2.4 × 10 kg
However, the coolant of approx. 8.6 × 104 kg needs to be discharged in order to start uncovering
the core. Consequently, the core is not uncovered during the accident.
On the assumption that a loss of off-site power occurs with the accident, a trip of all internal
pumps decrease the core flow rate rapidly.
Due to the core flow rapid coastdown,, MCPR drops below 1.07 (safety limit MCPR) about 1 second
after the accident, resulting in the occurrence of boiling transition (BT) from the upper fuel assembly
to the fifth spacer. With boiling transition, a coefficient of heat transfer from the fuel clad to the
coolant became low, and the fuel cladding temperature increased. However, the increase in
temperature was stopped after a short time because the scram reduced the power.
Fig.3.5.4-3 shows variations in temperature at a position where peak cladding temperature is given.
The peak cladding temperature during this accident is about 569 degree-C.
The rupture of the fuel rods occurs when, after the accident, the fuel cladding heats up and the
circumferential stress due to the internal pressure of the fuel cladding exceeds the tensile strength
held at that temperature. The fuel cladding temperature in this accident is about 569 degree-C or
less. On the other hand, the external pressure is kept higher than the internal pressure in the fuel rods
during the accident. Consequently, the circumferential stress due to internal pressure in the fuel rods
does not cause rupture of the fuel rods, as shown in Fig. 3.5.2-5.
Furthermore, the increase of an oxidized layer on the fuel clad is significantly small because the fuel
3. Deterministic Safety Analysis
Ver. 0
71
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
cladding temperature is low.
3.5.4.4 Review of Conformance to Acceptance Criteria
As shown in "3.5.3.3 Analysis of Accident Process," no fuel rod will burst in this accident.
Moreover, the maximum temperature of the fuel cladding is 1,200°C or less and the rise in the
thickness of the oxidized layer of the fuel cladding is not more than 15% of the thickness of the fuel
cladding before the oxidation reaction becomes considerable, so that it will retain a geometry that
can be cooled and the cooling capability will not be lost. Therefore, no new damage will occur to the
fuel rods due to this accident, and the criterion 1) described in “3.2.1.2 Design Basis Accidents” is
met.
Therefore, the criteria in Japan described in “3.2.1.2 Design Basis Accidents” are met.
3.5.4.5 Assessment of Emissions and Dose Equivalents of Fission Products
3.5.4.5.1 Emission of Fission Products
(1) Analysis conditions
The migration and emissions of fission products during the accident is used to be assessed based on
the following assumptions.
a.
The concentrations of fission products in a coolant before the accident are assumed to be
equivalent to 1.3 × 103Bq/g, or the operational allowable maximum concentration of I-131.
Their compositions are assumed to be a diffusion composition. The concentration of halogen
in gas phase is assumed to be 2% of that in liquid phase.
b. Additional emission of I-131 from the fuel rod that is caused by a decrease in reactor
pressure after the accident is assumed to be 3.7 × 1013Bq/g, or an average of past actual
measurements in the existing plants plus a proper margin. The composition of other fission
products is assumed to be an equilibrium composition. An emission of noble gas is assumed
to be twice larger than that of iodine.
c.
Fission products that are additionally emitted from a fuel rod before closing the main steam
isolation valves are assumed to be released in proportion to the rate of decrease in reactor
pressure before closing the valves, but additional fission products are assumed not to be
emitted from the broken area.
3. Deterministic Safety Analysis
Ver. 0
72
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
d. Fission products that are additionally emitted from a fuel rod after the closing of the valves
are assumed to be gradually emitted to the coolant with the reduction of reactor pressure.
e.
Organic iodine is assumed to be 4% of additional iodine from the fuel rod, while 96% of the
iodine is assumed to be inorganic.
f.
Of fission products that are additionally emitted from the fuel rod, all of the noble gases
are assumed to migrate instantly to a gas phase. 10% of the organic iodine is assumed to
migrate instantly to the gas phase, and the rest is assumed to decompose. 2% of inorganic
iodine and halogen other than iodine that are decomposed from inorganic and organic iodine
are assumed to be carried over to the gas phase.
g. On the assumption of a single failure in a main steam isolation valve from the viewpoint
of radioactivity confinement, steam is leaked from seven closed main steam isolation valves
on the assumption that one of eight main steam isolation valves is not closed. The total
leakage rates of the valves are assumed to be 30%/d based on a design leakage rate of 10%/d
(one valve to a gas phase volume in a pressure vessel at a minimum set pressure of safety
and relief valve), in consideration of the closing of seven valves in the four main steam
pipes. Subsequent leakage rates depend on reactor pressure and temperature.
h. On the assumption that steam equivalent to decay heat migrates to pool water in a
suppression chamber through the safety and relief valves after the closing of the main steam
isolation valves, the quantity of the steam is assumed to be 320 times/d larger than the gas
phase volume in the vessel. Fission products contained in this steam assumed not to
contribute to radiation exposure.
i.
The reactor pressure after the closing of the valves is assumed to be linearly reduced to an
atmospheric pressure in 24 hours by the safety and relief valves, a Reactor core isolation
cooling system and a Residual heat removal system. As a result, the leakage from the main
steam system is assumed to be stopped.
j.
50% of inorganic iodine and halogen other than the iodine that is decomposed from the
inorganic/organic iodine emitted into a turbine building is assumed to be deposited on floors
and walls. Noble gas and organic iodine are assumed not to be deposited.
3. Deterministic Safety Analysis
Ver. 0
73
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
k. The coolant discharged from the broken area before the closing of the main valves is assumed
to be completely vaporized, and form a vapour cloud that uniformly contains fission
products emitted at the same time.
l.
The fission products that are leaked from the main steam system after the closing of the
valves are assumed to be dispersed aboveground into the atmosphere.
(2) Analysis results
Emissions of the fission products into the atmosphere that are calculated based on the above
analysis conditions are shown in Table 3.5.4-1.
Also, the processes of release of noble gas and halogen etc. into the atmosphere are shown in Fig.
3.5.4-4 and Fig. 3.5.4-5.
3.5.4.5.2 Assessment of Dose Equivalent
(1) Analysis assumptions
Fission products emitted into the atmosphere are assumed to be dispersed aboveground from a turbine
building. Off-site effective dose equivalent that is given by the emissions is calculated based on the
following assumptions.
a.
The coolant that contains fission products released before the closing of main steam
isolation valves is assumed to be completely vaporized in high temperature and low
humidity in the atmosphere, and to form a hemispherical vapour cloud. In this case, a
smaller vapour cloud will increase an effective dose equivalent, while a vapour cloud will
become smaller under an outside air condition of higher temperature and lower relative
humidity. In order to determine the size of the vapour cloud, temperature 35 degree-C and
relative humidity 47% are used.
b. The hemispherical vapour cloud is assumed to move downwind at a rate of 1m/s in
consideration of a short-time emission.
c.
The concentrations in the air on the ground surface outside the site boundary of fission
products, which are emitted into the atmosphere through main steam isolation valves after
the closing of the valves, are determined by multiplying the relative concentrations of such
plant by the total released amount of nuclear fission products.
3. Deterministic Safety Analysis
Ver. 0
74
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
d. The γ absorbed dose outside the site boundary by noble gas and halogen etc. is determined
by multiplying the relative dose of such plant by the total released amount of noble gas and
halogen etc..
(2) Assessment results
Off-site effective dose equivalent is assessed based on the above analysis assumption. The result is
shown in Table 3.5.4-2. This dose is based on assumptions generally used in Japanese assessments
and should only be taken as indicative. It is recognized that the calculated doses will differ when
calculated using UK assumptions and practice
Judging from the above values, a risk of s radiation exposure to the surrounding public by this
accident is considered to be sufficiently small.
3. Deterministic Safety Analysis
Ver. 0
75
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.5.5 Abnormal Change in Pressure and Atmosphere etc. in the Primary
Containment (Analysis of Pressure and Temperature Responses of
Containment Vessel)
3.5.5.1 Causes
The cause of this accident is the same as that described in "3.5.2.1 Causes."
3.5.5.2 Measures to Prevent Accidents and to Mitigate Accidents
The measures to prevent and to mitigate these accidents are same as those described in "3.5.2.2
Measures to Prevent Accidents and to Mitigate Accidents".
3.5.5.3 Analysis of Accident Process
In order to confirm the integrity of the containment vessel during a LOCA, an analysis of a
complete-break accident of the feedwater lines is carried out. This is the accident in which there is
the highest containment-vessel pressure.
(1) Analysis conditions
The following assumptions are used in the analysis:
a.
It is assumed that the reactor has been operating at about 102% of the rated power (4,005
MWt) until immediately before the onset of the accident.
b. It is assumed that offsite power is lost simultaneously with the onset of the accident.
Consequently, the recirculation pumps are tripped immediately.
c.
Moody's critical-flow model is used to calculate the discharged flow of coolant from the
broken area.
d. Immediately before the onset of the accident the drywell temperature is assumed to be 57
degree-C, the pool water temperature of the suppression chamber is assumed to be 35
degree-C, and the pressure inside the containment vessel is assumed to be 5kPa[gage].
e.
It is assumed that the Residual Heat Removal System is manually switched to the
Containment Vessel Spray Cooling System 10 minutes after the accident, and this operation
is completed in 15 minutes after the accident in consideration of the time required for the
operation.
f.
A single failure is assumed in the dynamic equipment of the Containment Vessel Spray
Cooling System.
3. Deterministic Safety Analysis
Ver. 0
76
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(2) Analysis results
If there is a complete break of the feedwater lines, the coolant flows out rapidly from the reactor and
turbine side into the drywell, and the drywell pressure increases.
For this reason, most of the gases inside the drywell are driven out by the discharged flow of coolant
into the suppression chamber, and the steam in the gases is condensed by the pool water of
suppression chamber. On the other hand, the non-condensable gases migrate to the airspace of the
suppression chamber, and the pressure in the suppression chamber increases.
After the water level in the pressure vessel is restored up to the elevation of the feedwater lines
(converted into terms of static head) due to the activation of the ECCS, the excess water flows out
through the broken area to the drywell. It cools and condenses the steam in the drywell and causes
the heat generated in the core to move into the suppression chamber. As a result of condensation of
the steam in the drywell, the drywell pressure decreases, and the vacuum breakers are actuated
passively to redistribute the non-condensable gases in the suppression chamber to the drywell and
the suppression chamber. The Residual Heat Removal System is used at first as a Low Pressure
Flooder System, but 15 minutes after accident it is switched manually so that one pump is used as
a Containment Vessel Spray Cooling System to lower the pressure in the containment vessel.
After the heat generation from the core becomes equal to the heat removal by cooling system, the
temperature in the suppression chamber is gradually lowered.
As a result of the heat removal, the temperature in the drywell and in the suppression chamber is
lowered, and the pressure also decreases along with this. Figs.3.5.5-1 and 3.5.5-2 show the results
of analysis of the pressure and temperature variations in the drywell and in the suppression chamber
after the accident.
It is clear from these figures that the pressure inside the containment vessel reaches its maximum
pressure of about 250 kPa[gage] in about 28 seconds after the accident. This is lower than 310
kPa[gage], the maximum allowable working
pressure of the containment vessel. Because of the
activation of the Containment Vessel Spray Cooling System, the pressure in the containment vessel
can be lowered to the atmospheric pressure. The temperature in the drywell and the pool water
temperature of the suppression chamber reach about 138 degree-C and 97 degree-C, respectively.
These are lower than the maximum allowable working temperatures of 171 degree-C and 104
degree-C, respectively.
3.5.5.4 Review of Conformance to Acceptance Criteria
As shown in section 3.5.5.3 “Analysis of Accident Process”, the temperature in the containment
(temperature of the drywell and pool water temperature in the suppression chamber) does not exceed
the maximum operating temperature, and the pressure applied to the boundary of the reactor
3. Deterministic Safety Analysis
Ver. 0
77
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
containment is lower than the maximum operating pressure. Accordingly, 2) and 3) in “3.2.1.2
Design Basis Accidents” are met.
3.5.6 Conclusions
In this section, some examples of infrequent design basis faults based on Hitachi-GE practice in
Japan are presented. As indicated in the sections of "Review of conformance to acceptance criteria"
for each fault, they meet acceptance criteria in Japan for all assumed faults.
DSA for infrequent design basis faults on UK ABWR will be performed to confirm the adequacy of
the safety design and the suitability and sufficiency of the safety measures against target 4 in HSE
SAPs in Step2.
3. Deterministic Safety Analysis
Ver. 0
78
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.5.2-1 Main analysis conditions for loss of coolant accidents [4]
Item
Value used
Reactor thermal power
Approx. 102% of the rated power
(4,005MW)
Maximum linear heat generation rate
44.0 kW/m × 1.02
Core flow rate
90% of the rated flow rate (47.0 × 103 t/h)
Reactor dome pressure
7.17 MPa [gage]
Core inlet enthalpy
1.23 MJ/kg
High pressure core flooder system flow rate (rated
value)
727 m3/h (At 0.69 MPa [dif] per pump)*
Low pressure flooder system flow rate (rated value)
954 m3/h (At 0.27 MPa [dif] per pump)*
Reactor core isolation cooling system flow rate
(rated value)
182 m3/h (At 8.12 to 1.03 MPa [dif] per
pump)*
Setpoints for reactor water level low (main steam
isolation valve closed), high pressure core flooder
system, reactor core isolation cooling system (core
cooling function), and emergency diesel power
generator (divisions II and III)
Level 1.5
Setpoints for reactor water level low (low pressure
flooder system and emergency diesel power
generator (division I) starting, automatic
depressurization system)
Level 1
*: MPa [dif] : differential pressure between reactor pressure vessel and water source
Table 3.5.2-2 Amounts of Fission Products Released during Loss of Coolant
Accidents [4]
Fission products
Amounts released (Bq)
Noble gases
(converted into γ ray energy of 0.5 MeV)
Iodine (I-131 equivalent)
3. Deterministic Safety Analysis
Ver. 0
Approx. 3.5 × 1011
Approx. 6.3 × l06
79
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 3.5.2-3 Off-Site Effective Dose Equivalence during Loss of
Coolant Accidents [4]
Effective dose equivalence (mSv)
Approx. 1.5 × 10-5
Kashiwazaki-Kariwa Unit 7
Table 3.5.4-1 Amounts of Fission Products Released during a Main Steam
Line Break Accident [4]
Amounts released (Bq)
Fission products
Before main steam isolation
After main steam isolation
valves are closed
valves are closed
Noble gas and Halogen, etc.*
(converted into γ ray of 0.5 MeV)
Iodine
(I-131 equivalent amount)
Approx. 3.1 × 1012
Approx. 6.1 × 1011
Approx. 3.9 × 1010
Approx. 1.8 × 109
* These products include iodine and are treated from the viewpoint of evaluation of effective dose
equivalent due to external radiation exposure.
Table 3.5.4-2 Off-Site Effective Dose Equivalent at a Main Steam Line
Break Accident [4]
Effective dose equivalence (mSv)
Kashiwazaki-Kariwa Unit 7
Approx. 1.7 × 10-2
3. Deterministic Safety Analysis
Ver. 0
80
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Core flow rate
(ratio to the rated value)
Revision C
Time (s)
Fig. 3.5.2-1 Variations of core flow rate during a double-ended break accident of
HPCF piping [4]
3. Deterministic Safety Analysis
Ver. 0
81
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Reactor water level (m)
(water level inside core shroud)
Revision C
Top of active fuel
Bottom of active fuel
Time (s)
Fig. 3.5.2-2 Variations of reactor water level during a double-ended break accident
of HPCF piping (with actuation of Reactor Core Isolation Cooling System, two
pumps of Low Pressure Flooder System) [4]
3. Deterministic Safety Analysis
Ver. 0
82
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Reactor pressure
Revision C
Time (s)
Fig. 3.5.2-3 Variations of core average pressure during complete break accident of
Peak cladding temperature (˚C)
HPCF piping (with actuation of Reactor core isolation cooling system and two
units of Low pressure flooder system) [4]
Time (s)
Fig. 3.5.2-4 Temperature change at the position giving the maximum temperature
of the fuel cladding at an accident of complete break of the HPCF lines (with
actuation of Reactor core isolation cooling system and two units of Low pressure
flooder system) [4]
3. Deterministic Safety Analysis
Ver. 0
83
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Circumferential stress
1.
2.
2.
3.
1.
4.
5.
6.
7.
8.
8.
8.
8.
8.
8.
8.
8.
8.
8.
Cladding temperature (˚C)
Key:
1.
(not irradiated)
3.
(TREAT tests)
2.
4.
5.
6.
7.
8.
(irradiated)
(in air, one fuel rod)
(already oxidized, one fuel rod)
(in air, nine fuel rods, test I)
(in air, nine fuel rods, test II)
(Vallecitos data)
Fig. 3.5.2-5 Relationship between fuel cladding temperature and fuel cladding
stress in the circumferential direction at time when rapture occurs in fuel rods
3. Deterministic Safety Analysis
Ver. 0
84
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
Fig. 3.5.2-6 Process of release of noble gases into the atmosphere during loss of
coolant accidents (values converted into gamma rays of 0.5 MeV) [4]
3. Deterministic Safety Analysis
Ver. 0
85
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
Fig. 3.5.2-7 Process of release of iodine into air during loss of coolant accidents
(I-131 equivalent) [4]
3. Deterministic Safety Analysis
Ver. 0
86
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Time (s)
1.
2.
3.
4.
1.
2.
3.
4.
Neutron flux (%)
Average surface thermal flux (%)
Core inlet flow (%)
Reactor steam flow (%)
Time (s)
Variations in reactor water level (× 5 cm)
Variations in reactor pressure (× 0.02 MPa)
Turbine steam flow (%)
Flow of safety valves (%)
Fig. 3.5.3-1 Variations during Loss of reactor coolant flow accident
(Trip of all reactor internal pumps accident) [4]
3. Deterministic Safety Analysis
Ver. 0
87
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Peak cladding temperature (˚C)
Revision C
Time (s)
Fig. 3.5.3-2 Temperature variations at positions giving maximum temperature of
fuel cladding during Loss of reactor coolant flow accident (Trip of all reactor
internal pumps accident) [4]
3. Deterministic Safety Analysis
Ver. 0
88
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Amount of discharged coolant (kg/s)
UK ABWR
Revision C
Steam Flow
Two Phase
Flow
Time (s)
Fig. 3.5.4-1 Variation of amount of discharged coolant at a main steam line break
accident [4]
3. Deterministic Safety Analysis
Ver. 0
89
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Core flow
Average core pressure
Core flow rate
(ratio to the rated value)
Average core
Time (s)
Fig.3.5.4-2 Change of core flow and average core pressure at a main steam line
break accident [4]
3. Deterministic Safety Analysis
Ver. 0
90
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Peak cladding temperature (˚C)
Revision C
Time (s)
Fig. 3.5.4-3 Temperature change at the position giving the maximum temperature
of the fuel cladding at a main steam line break accident [4]
3. Deterministic Safety Analysis
Ver. 0
91
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
16%
Fig. 3.5.4-4 Process of Noble gas release into atmosphere at a main steam line
break accident (converted into γ ray energy of 0.5 MeV) [4]
3. Deterministic Safety Analysis
Ver. 0
92
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
16
40t
3.9
3.1
Fig. 3.5.4-5 Process of Halogen release into atmospheres at a main steam line
break accident [4]
3. Deterministic Safety Analysis
Ver. 0
93
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Pressure in the containment vessel
Drywell
Suppression Chamber
One High Pressure Core Flooder System and
two Residual Heat Removal Systems actuated
Time (s)
Drywell temperature and suppression
chamber pool water temperature (˚C)
Fig. 3.5.5-1 Pressure variations in drywell and suppression chamber during
complete break accident of feedwater piping [4]
Drywell
Suppression Chamber
One High Pressure Core Flooder System and
two Residual Heat Removal Systems actuated
Time (s)
Fig. 3.5.5-2 Variations of the temperature in the drywell and the pool water
temperature in the suppression chamber during complete break accident of
feedwater line [4]
3. Deterministic Safety Analysis
Ver. 0
94
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.6 Beyond Design Basis Faults
3.6.1 Frequent faults with common mode failure of engineered safety system
DSA for UK ABWR will be performed in Steps 2 and 3. Therefore, this section shows example of
analysis result for frequent design basis faults with common mode failure of engineered safety systems,
which have been performed on the basis of Hitachi-GE practice, and UK provision will be discussed.
This example explains the causes of the occurrence, the safety function and the fault sequence based
on analysis results.
3.6.1.1 Evaluated Events
Based on PSA, fault sequences that could result in significant core damage are selected as the events
to be assessed. They are selected on the basis of following point of view.
1) The core is significantly damaged by multi-systems failures caused by common cause
failures or functional dependency.
2) The time margin to implement countermeasure for core damage prevention is small.
3) The fault sequence is representative among the fault sequence group.
The following fault sequence groups are identified to be assessed. However, these fault sequence
groups will be re-assessed in Steps 2 and 3 based on UK practice and rules.
(a) High and low pressure coolant injection failure
(b) High pressure coolant injection failure and depressurization failure
(c)
Loss of off-site power and failure of coolant injection with limited system (Station
blackout)
(d) Decay heat removal failure
(e) Maintaining sub-criticality failure
(f) Coolant injection failure at LOCA
(g) Containment bypass (Interface system LOCA)
Fault sequences of beyond design basis faults will be analyzed using realistic and best estimate
assumptions.
As an example, the analysis result of the following event chosen from the listed above is shown in
this section.
(1) Loss of off-site power and failure of coolant injection with limited system (Station blackout)
3. Deterministic Safety Analysis
Ver. 0
95
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.6.1.2 Loss of off-site power and failure of coolant injection with limited system
(Long Term Station blackout)
(1) Event and its success scenario
After station blackout occurs, the safety systems and components are all assumed to fail.
Significant core-damage can be avoided by maintaining the reactor water level at the proper level by
water injection using RCIC (Reactor Core Isolation Cooling system). Water injection is implemented
by reactor depressurization and alternative low pressure coolant injection system when gas turbine
generator and alternative low pressure coolant injection system are available. This success scenario
is based on Hitachi-GE practice. This is an extreme case. The UK provision will be discussed.
(2) Analysis condition
[
This information is removed intentionally
]
(3) Analysis Results
[
This information is removed intentionally
]
3. Deterministic Safety Analysis
Ver. 0
96
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
[
This information is removed intentionally
]
3. Deterministic Safety Analysis
Ver. 0
97
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
3.6.2 Severe accident analysis
DSA for UK ABWR will be performed in Steps 2 and 3. Therefore, this section shows example of
analysis result for severe accident analysis, which have been performed on the basis of Hitachi-GE
practice, and UK provision will be discussed.
3.6.2.1 Evaluated Events
In the accident progression, loss of core cooling leads to core melt condition. There are following
uncertain threats on containment integrity for core damage condition.
(a) Containment overpressure/overtemperature failure (Static loading)
(b) High pressure molten core ejection/Direct containment heating
(c) Interaction between molten core and coolant outside the RPV
(d) Hydrogen combustion
(e) Direct containment contact (shell attack)
(f) Molten core-concrete interaction
In this analysis, representative accident sequences with core melt are analyzed to justify the
capability of overpressure and overtemperature control. The other uncertain phenomena will be
discussed in the PSA section.
As an example, the analysis result of the following event chosen from the listed above is shown in
this section.
(1) Containment overpressure/overtemperature failure (Static loading)
3.6.2.2 Containment overpressure/overtemperature failure (Static loading)
(1) Event and its success scenario
The containment pressure and temperature are slowly increased by accumulation of steam generated
by decay heat of the molten core and high temperature coolant in the containment and
non-condensable gas generated by interaction between metal and water, and it could lead the
containment failure.
The molten core is cooled using reactor water injection and alternative containment spray cooling
system, and the decay heat is removed from containment by containment venting so that
containment failure and significant release of any radioactive material into the environment are
avoided. This success scenario is based on Hitachi-GE practice and the UK provision will be
discussed.
3. Deterministic Safety Analysis
Ver. 0
98
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
(2) Analysis condition
[
This information is removed intentionally
]
(3) Analysis Results
[
This information is removed intentionally
]
3. Deterministic Safety Analysis
Ver. 0
99
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
3.7 Conclusions
In this section, examples of DSA performed based on Hitachi-GE practice are presented. According
to these analysis results, acceptance criteria in Japan are met by safety systems on Japanese ABWR.
DSA for UK ABWR will be performed to confirm the adequacy of the safety design and the
suitability and sufficiency of the safety measures against target 4 in HSE SAPs in Step 2.
3. Deterministic Safety Analysis
Ver. 0
100
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4. Probabilistic Safety Assessment
PSA (Probabilistic Safety Assessment) provides an integrated and structured safety analysis that
combines engineering and operational features in a consistent overall quantification framework. This
provides a logical basis for identifying any relative weaknesses in the design and be reflected
according by the quantitative outputs. Then, PSA is useful tool to estimate vulnerabilities in plant
and effectiveness of countermeasures.
In this section, requirement and assumption as high level information on method, and some
examples and indicative results by PSA are described.
4. Probabilistic Safety Assessment
Ver. 0
101
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
4.1 Requirements and Assumptions
This sub-section proposes and describes targets, main assumptions, scope of PSA, and success
criteria to be adopted for the UK ABWR PSA.
(1) Target
UK ABWR design should be demonstrated to comply with Targets 7, 8, and 9 in relation to PSA.
HSE SAPs defines two types of safety level with different numerical values. These are BSLs (Basic
safety Levels) and BSOs (Basic Safety Objectives). The BSL must be met as a minimum. The BSOs
form benchmarks that reflect modern nuclear safety standards and expectations.
The results from the UK ABWR PSA study will be explained in relation to these numerical targets.
a. Target 7
To confirm compliance with Target 7 of HSE SAPs, the individual risk of death to a person off the
site, from on-site accidents that results in exposure to ionizing radiation, will be assessed and will be
below 10-7 /year.
The corresponding BSO and BSL for Target 7 are:
BSL
: 1 x 10-4 pa
BSO
: 1 x 10-7 pa
b. Target 8
To confirm compliance with Target 8 of HSE SAPs, the summated frequency of accidents for the
UK ABWR leading to individual doses of different magnitudes will be assessed against the limits
given in Table 4.1-1. The UKABWR design will need to be shown that the total frequency of
accidents in each of the different dose categories in the table is below the Maximum Tolerable Limit.
The design objective will be to achieve an accident frequency in each dose category that is below the
Broadly Acceptable Level.
Table 4.1-1 Target 8 of HSE SAPs
Effective Dose
Total predicted frequency per year
BSL
BSO
Maximum Tolerable Limit
Broadly Acceptable Limit
0.1 - 1
1
1 x 10-2
1 - 10
1 x 10-1
1 x 10-3
10 -100
1 x 10-2
1 x 10-4
100 - 1000
1 x 10-3
1 x 10-5
>1000
1 x 10-4
1 x 10-6
(mSv)
4. Probabilistic Safety Assessment
Ver. 0
102
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
c. Target 9
To confirm compliance with Target 9 of HSE SAPs, the total risk of 100 or more fatalities, either
immediate or eventual, from on-site accidents that result in exposure to ionizing radiation, will be
assessed and will be below 10-7 /year.
The corresponding BSO and BSL for Target 9 are:
BSL
: 1 x 10-5 pa
BSO
: 1 x 10-7 pa
(2) Main Assumptions
For UK ABWR PSA, all of the design information in the GDA process will be applied at the
beginning of the assessment. Lack of information will be covered by following assumptions as
examples:
-
Generic data for component reliability is applicable.
-
Same procedure of maintenance and surveillance test is applied from existing plant.
-
For human error probability, screening value is applied.
(3) Scope of PSA
A full scope Level 3 PSA, i.e. a PSA which covers all sources of radioactivity at the facility, all types
of initiating faults, and all operational modes, will be provided in the UK ABWR PCSR.
With regard to sources of radioactivity, reactor and spent fuel pool will be assessed. Other sources,
which may have significant impact on public dose, will also be assessed. For initiating faults and
operational modes, all type of initiating faults and operational modes will be included and the use of
screening and bounding arguments will be justified.
(4) Success Criteria for Level 1 PSA
Level 1 PSA estimates core damage frequency. Therefore, success of fundamental functions
combination to prevent core damage will be defined by using necessary minimum function or
systems. The success criteria for level 1 PSA consist of systems whose functions are;
-
Reactivity control,
-
Core cooling, and
-
Long-term heat removal.
4. Probabilistic Safety Assessment
Ver. 0
103
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
A definition of success and failure for each function or system will be provided based on realistic
analysis.
(5) Success Criteria for Level 2 PSA
Level 2 PSA estimates large release frequency. Therefore, success of functions to prevent large
release in conjunction with core damage will be defined by using necessary functions or systems.
The success criteria for level 2 PSA consist of systems whose functions are;
-
Damaged core cooling, and
-
Decay heat removal
A definition of success and failure for each function or system will be provided based on realistic
analysis.
4. Probabilistic Safety Assessment
Ver. 0
104
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4.2 Internal Event Level 1 PSA
This sub-section describes model description, data for risk analysis, and indicative results from
experience and CDF estimate, regarding to internal event level 1 PSA at power and shutdown.
4.2.1
Internal Event Level 1 PSA (Reactor core during normal operation)
4.2.1.1 Procedure of Internal Event Level 1 PSA
A standard for internal level 1 PSA during power operation established by Atomic
Energy Society of Japan [5] provides the procedure of the PSA as follows.
1. Investigation of plant information
2. Selection of initiating faults and estimation of their frequencies
3. Establishment of success criteria
4. Analysis of accident sequences
5. System reliability analysis
6. Human reliability analysis
7. Preparation of necessary parameters
8. Quantification of accident sequences
9. Uncertainty analysis and sensitivity analysis
10. Documentation
4.2.1.2
Model and Data
(1) Initiating Faults
A range of faults sequences, including multiple failures is considered in the PSA. Transient, LOCA
and manual shutdown are identified based on review of industry PSAs and guidance.
Transient event is composed of several groups which are developed by the plant condition and
features of the initiating events. LOCA is divided into 3 groups considering required mitigation
system. Manual shutdown is composed of normal shutdown and other manual shutdowns with loss
of emergency system or support system.
Initiating faults frequencies for transient and manual shutdown are estimated based on the Utility
Requirements Document (URD) [6], or operating practices in Japan, where applicable. Initiating
faults frequencies for LOCA is developed by NUREG-1829[7] and NUREG-5750[8].
Followings are example of initiating events in a PSA of Japanese ABWR. Table 4.2.1.2-1 shows
4. Probabilistic Safety Assessment
Ver. 0
105
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
example of detail transient event in the PSA.
Transient:
• Non-isolation events
• Isolation events
• Loss of all feedwater flow
• Decrease in reactor water level events
• Failure of Reactor Protection System (RPS), etc.
• Loss of off-site power
• Inadvertent open relief valve (IORV)
Loss of coolant accident (LOCA):
• Large LOCA
• Medium LOCA
• Small LOCA
Manual shutdown:
•
Planned normal shutdown
•
Loss of emergency AC power supply
•
Loss of emergency DC power supply
•
Loss of emergency reactor cooling water system(RCW)
•
Failure of turbine support systems
(2) Accident Sequence Analysis
Accident sequence event tree structures and end states are defined for each initiating fault category
based on the expected response of mitigating systems. Success criteria are established to determine
the minimum set of trains or components that will successfully perform an intended function. The
success criteria are incorporated into the fault trees to define the minimum set of faults that lead to
functional failure. Followings are important functions and main success criteria for them.
Reactivity Control:

RPS (Reactor Protection system)

ARI (Alternative Rod Insertion system) and RPT (Recirculation Pump Trip)

SLC (Stand by Liquid Control system) and RPT (Recirculation Pump Trip)
Core Cooling:
4. Probabilistic Safety Assessment
Ver. 0
106
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C

Feedwater system/Condensate system

RCIC

HPCF

LPFL and RPV depressurization

Alternative water injection system and RPV depressurization
Long-term Cooling:

RHR

Containment Venting with water addition
Indicative success criteria for UK ABWR based on previous studies for ABWR PSA are shown in
Table 4.2.1.2-2. Example of event trees for non-isolation, which is the basis of other event trees, is
shown in Fig.4.2.1.2-1.
Adequacy of the success criteria is demonstrated by deterministic analyses with following analysis
codes. Initiating time of each mitigation system with which core damage is prevented is calculated.
Reactivity control: ODYN, or REDY and SCAT
Core cooling: SAFER or MAAP
Long-term Cooling: MAAP
Core damage occurs directly from failure of the core cooling key safety function, and indirectly from
the failure of reactivity control, RPV overpressure protection, or containment heat removal.
Acceptance criteria used as the PSA success criteria are realistic ones, which are described below.
Reactivity Control
To achieve sub-criticality and maintain the reactor in a sub-critical state
RPV Overpressure Protection
To maintain the reactor coolant pressure boundary below 120 percents of the maximum
design pressure
Core Cooling
To maintain a peak cladding temperature (PCT) below 1200 degree-C for establishing
adequacy of coolant inventory (This criterion defines the onset of core damage.)
4. Probabilistic Safety Assessment
Ver. 0
107
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Long-term Heat Removal (Containment Heat Removal)
To maintain the containment pressure below the ultimate containment strength
End state of the accident sequences is safe shutdown state defined for general ABWR. Mission time
is 24 hour for Hitachi-GE practice. For UK ABWR analysis, mission time is determined considering
the time for achieving the end state.
(3) System Analysis
System fault trees are developed based on the standard industry techniques and will reflect the UK
ABWR system design. The systems which correspond to the functional headings described in the
event trees have their system fault trees. A PSA support document [9] contains the following items:
functional description, assumptions, system description, automatic and manual control, system
interfaces, system testing, system maintenance, CCF (Common Cause Failures) and fault tree
analysis results.
Component failure probabilities are estimated from the generic industry data such as URD [6],
JANSI [10] and so on. Appropriate data base will be used for UK ABWR. Data and the methodology
for maintenance and test unavailability are based on the generic data or experiences of Japanese
ABWR. Common cause failure rate will be developed from a generic data.
(4) Human Reliability Analysis
Task analyses and human error probability assessments are performed where operator actions are
shown to have a significant effect on risk. The PSA operator actions are used to develop specific
operator actions in the emergency response procedures. The methodology used in the existing study
is in accordance with the THERP (NUREG/CR-1278) [10] and considers omission error and
commission error. For human reliability analysis of UK ABWR PSA, THERP [10] or Accident
Sequence Evaluation Program HRA Procedure (ASEP) [10] is used.
Pre-accident Human Error considers recovery in the end of test/maintenance (ex. valve operation
error). Post-accident Human Error considers manual operations, and recoveries.
(5) Quantification
The purpose of the core damage frequency quantification is to obtain the Boolean equation
corresponding to the final event: “core damage”. The equation is developed in terms of minimal
cut-sets, which represent the minimal combinations of events that result in core damage.
Quantification of the model results in overall core damage frequency, as well as core damage
frequency as a function of initiating faults or plant damage states (PDSs).
4. Probabilistic Safety Assessment
Ver. 0
108
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
The computational tool for quantification of PSA for Japanese ABWR is NUPRA. NUPRA, CAFTA,
or other appropriate tool will be selected for PSA of UK ABWR GDA.
(6) Plant Damage State (PDS)
There are three essential functions for ABWR. Headings of event trees are generally lined up in a
following order.
First, the reactor reactivity control function;
Second, core cooling functions, which are the high pressure coolant injection into the RPV,
or the RPV depressurization and the low pressure coolant injection into the RPV; and
Third, long-term heat removal function.
For example, in the event tree shown in Fig.4.2.1.1-1, a heading “C” is for the reactor reactivity
control function, headings from “Q” to “VD” are for the core cooling function, and headings from
“WP” to “WD” are for the long-term heat removal function. A heading “M” is for the pressure relief
function to avoid over-pressure of the RPV.
First, the PDS in which the reactor reactivity control of the first stage fails is defined as a “TC”.
Second, there are several PDSs defined for failure of core cooling. The PDS in which the high
pressure core injection and the RPV depressurization fail is defined as a “TQUX”. The PDS with
failure of the high pressure core injection followed by successful depressurization and failure of low
pressure core injection is defined as a “TQUV”. The PDS with failure of water injection to the core
at LOCA is defined as “LOCA”. The PDS LOCA is sometimes divided into AE, S1E, S2E which are
large LOCA (A), medium LOCA (S1) and small LOCA (S2) followed by failure of coolant injection
to the core (E), respectively.
Third, the PDS in which long-term heat removal fails is defined as a “TW”.
Separately from the above ones, the PDS in which loss of electrical power necessary for above
functions occurs is defined as a “TB”.
The short definitions of PDSs are summarized again below.
TQUX
: High pressure coolant injection failure, and depressurization failure
TQUV
: High/low pressure injection failures
4. Probabilistic Safety Assessment
Ver. 0
109
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
TB
: Loss of off-site power and failure of coolant injection with limited system
TW
: Decay heat removal failure
TC
: Maintaining sub-criticality failure
LOCA
: Coolant injection failure at LOCA
Detail definitions of the PDSs as the interface between Level 1 PSA process and Level 2 PSA
process are described in section 4.3.1.2.
4. Probabilistic Safety Assessment
Ver. 0
110
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 4.2.1.2-1 Initiating events
Broad
category
Manual
Shutdowns
Initiating event
Planned normal shutdown
Non-isolation event
Anticipated
Transients
Isolation event
Loss of all feedwater flow
Decrease in reactor water level
Failure of RPS, etc.
Loss of offsite power
LOCAs
Special
Initiators
Inadvertent opening of relief valve
Large LOCA
Medium LOCA
Small LOCA
Loss of emergency AC power supply
Loss of emergency DC power supply
Loss of emergency reactor cooling
water system (RCW)
Failure of turbine support systems
Postulated disturbances
Planned normal shutdowns
1. Electric load rejection (w/ bypass)
2. Turbine trip (w/ bypass)
3. Pressure regulator fails closed
4. Turbine bypass or control valves cause increased pressure
5. Trip of all recirculation pumps
6. Recirculation pump seizure
7. Feed water -increasing flow at power
8. High feedwater flow during startup or shutdown
9. Inadvertent startup of HPCF
10. One MSIV closure
11. Recirculation control failure - increasing flow
12. Loss of feedwater heater
1. MSIV closure (all)
2. Partial MSIV closure
3. Pressure regulator fails open (leading to MSIV closure)
4. Turbine bypass fails open
5. Electric load rejection with bypass valve failure
6. Turbine trip with turbine bypass valve failure
7. Loss of normal condenser vacuum
1. Loss of all feedwater flow
1. Trip of one feedwater pump (or condensate pump)
2. Feedwater - low flow
3. Low feedwater flow during startup or shutdown
1. Rod withdrawal at power
2. High flux due to rod withdrawal at startup
3. Detected fault in rector protection system
4. Scram due to plant occurrences
5. Spurious trip via instrumentation, RPS fault
1. Loss of offsite power
2. Loss of auxiliary power
1. Inadvertent opening of a safety/relief valve (stuck)
4. Probabilistic Safety Assessment
Ver. 0
111
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 4.2.1.2-2 Success criteria to prevent core damage for ABWR
[
This information is removed intentionally
4. Probabilistic Safety Assessment
Ver. 0
]
112
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Nonisolation
events
Scram
S/R valve
open
S/R valve
close
Feed water
system
HPCF
Reactor
decompression
LPFL
Alternative
pouring
water
PCS
RHR
ＴＴ
Ｃ
Ｍ
Ｐ
Ｑ
Ｕ
Ｘ
Ｖ
ＶＤ
ＷＰ
ＷＲ
RHR
Alternative
recovery
cooling
ＷＲＲ
Sequance
group
ＷＤ
－
－
－
－
－
ＴＷ
－
－
－
－
ＴＷ
－
－
－
－
ＴＷ
ＴＱＵＶ
ＴＱＵＸ
－
－
－
ＴＷ
－
－
－
ＴＷ
－
－
－
ＴＷ
－
－
－
ＴＷ
ＴＱＵＶ
ＴＱＵＸ
－
－
Fig. 4.2.1.2-1 Example of event tree
4. Probabilistic Safety Assessment
Ver. 0
113
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
4.2.1.3
Revision C
Indicative results
(1) Results from Japanese ABWR PSA
Fig.4.2.1.3-1 shows plant configurations for PSA. There are mainly 4 plant configurations with
history of adding AM (Accident Management) strategies. For each plant configuration, following
PSA results are defined. Some AM strategies are considered from an initial stage of design, which
are manual actuation of ECCS, manual depressurization of RPV, alternative coolant injection, and so
on. PSA for this plant configuration is called as “PSA before the AM preparation”. In 1992, circular
notice for preparations of accident management in a nuclear power plant is issued by Ministry of
International Trade and Industry in Japan. Corresponding to this, new AM strategies are added,
which are hardened containment venting, multi-unit cross tie, coolant injection with a pump of Fire
Protection system (diesel-driven), and so on. PSA for this plant configuration is called as “PSA after
AM preparation”.
In this section, the result of “PSA after AM preparation” is shown as an
example.
Existing internal level 1 PSA results for Japanese ABWR are introduced here. Reference documents
are shown below.
•
“The evaluation on accident management review report on Chugoku Electric Power Co.
INC. Shimane 3rd NPP. (in Japanese)”, Nuclear and Industrial Safety Agency (NISA), Aug.
2010 [13]
•
“The report of accident management review for Shimane 3rd NPP (in Japanese)”, Chugoku
Electric Power Co. INC, Apr. 2010 [14]
•
“The report of Probabilistic Safety Assessment for Shimane 3rd NPP (in Japanese)”,
Chugoku Electric Power Co. INC, Apr. 2010 [15]
Table 4.2.1.3-1 shows PSA results calculated by utility and JNES as a cross-check on utility report.
CDF of the both PSAs are on the order of 10-9. Mitigation features credited for the PSA are
described in Table 4.2.1.3-2.
Fig. 4.2.1.3-2 shows CDF for each plant damage state. Risk contributors for each plant damage
states in ABWR used to be following characteristic.
TB is the largest contributor for total CDF in the calculation results of the utility and the JNES.
[
This information is removed intentionally
calculation results of the utility.
[
] TQUX is the second largest contributor in the
This information is removed intentionally
sequence is the third largest contributor in the calculation results of the utility.
4. Probabilistic Safety Assessment
Ver. 0
]
LOCA
[
This
114
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
information is removed intentionally
]
4. Probabilistic Safety Assessment
Ver. 0
115
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
The result discussed in this section
“PSA before the
AM preparation”
Mitigation systems AM strategies
Plant
only for design
before a circular
configuration
basis accident
notice [*1]
“PSA after the AM
preparation”
AM strategies
added after a
circular notice
[*1]
AM strategies
after Fukushima
accident
[*1] Circular notice of Ministry of International Trade and Industry, “Preparation of accident
management in a nuclear power plant” (July 1992)
[*1] Circular notice of Ministry of International Trade and Industry, “Preparations of accident
management in a nuclear power plant” (July 1992)
Fig. 4.2.1.3-1 Plant configurations for PSA
Table 4.2.1.3-1 PSA results for Japanese ABWR
Core damage
frequency
(/reactor year)
Utility
analysis
1.2×10-9
Cross check
analysis of
2.4×10-9
JNES
4. Probabilistic Safety Assessment
Ver. 0
116
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 4.2.1.3-2 Mitigation features credited in Japanese ABWR PSA
[
This information is removed intentionally
4. Probabilistic Safety Assessment
Ver. 0
]
117
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Core Damage Frequency(/y)
1.00E-08
Utility
JNES
1.00E-09
1.00E-10
1.00E-11
1.00E-12
TQUX
TQUV
TB
TW
TC
LOCA
Fig. 4.2.1.3-2 CDF for each plant damage state
(This figure is developed from the data in ref. [15])
4. Probabilistic Safety Assessment
Ver. 0
118
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
(2)Results from USABWR DCD PSA
This section is discussed based on Hitachi-GE experience and estimates.
Other existing PSA result is that for US ABWR conducted by GE-Hitachi, which is referred in US
ABWR DCD (Design Certification Document) [16] and NUREG-1503 [17]. Basic configurations of
USA BWR and Japanese ABWR are the same. Therefore, PSA results of US ABWR are useful
output for discussing sensitivity of modelling and database to the CDF and its break-down.
GE-Hitachi estimated the total CDF from internal events for US ABWR to be 1.6E-7 per year, which
is about two orders higher than that of Japanese ABWR. The initiating events that significantly
contribute to the CDF are loss of offsite power and loss of feedwater/isolation events. Among them,
SBO is the largest contributor.
Table 4.2.1.3-2 shows the comparison of database and modelling between US ABWR DCD PSA and
Japanese ABWR PSA. Based on Hitachi-GE experience, Hitachi-GE estimates that followings seem
to be the main differences;
In terms of database of initiating event frequency and component failure rate, Japanese ABWR
PSA uses national records in Japan [10], which are generally less conservative than those for
US ABWR DCD PSA.
In terms of CCF (Common Cause Failure), US ABWR DCD PSA considers dependency
among whole systems of ECCS (RCIC, 2 HPCFs, 3 LPFLs, and ADS) as CCF of transmission
network, while Japanese ABWR PSA considers dependency among whole systems of ECCS as
CCF of transmitters of reactor water level and digital systems. Only Japanese ABWR PSA
considers CCF of valves/pumps/fans among intra-system redundant parts and also among
inter-systems.
In terms of human factors, both PSA considers following human actions and errors.

Manual actuation of coolant injection with ECCS, depressurization of RPV, and RHR

Pre-accident human errors (Leaving valves closed after maintenance, miscalibration of
sensors (Japanese ABWR PSA include it in CCF of sensors.)
US ABWR DCD PSA considers only human errors for the failure of coolant injection into the
RPV with feedwater and condensate system, while Japanese ABWR PSA has fault trees for
them, which include human errors (considering both component error and human error)
In terms of recovery, both PSA considers recovery of off-site power, EDG and RHR. In
4. Probabilistic Safety Assessment
Ver. 0
119
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
addition, recovery of feed water system for initiating event of loss of partial or all feed water
flow, and support system during unplanned manual shutdown events (or called special
initiators) due to loss of support system are considered.
For US ABWR DCD PSA, unavailability values due to T&M (Test and Maintenance) for
RCIC, HPCF-B, HPCF-C, RHR-A, RHR-B, and RHR-C are set to 2%, while Japanese ABWR
PSA calculates unavailability of each system considering the maintenance rule of safety
regulations. The resulting unavailability of each system in Japanese ABWR PSA is much
smaller than that in US ABWR.
In terms of self-diagnosis function of digital systems, only Japanese ABWR PSA considers this
function.
In terms of mitigation features, major differences between US ABWR and Japanese ABWR are
summarized in Table 4.2.1.2-2. For alternative AC power supply, combustion turbine generator is
applied for US ABWR, while multi-unit cross tie is applied for conventional Japanese ABWRs. After
the Fukushima accident, alternative power source is planned to be added. Air-cooled EDG is
considered as one of the options in UK ABWR. For RPV depressurization during transient events,
transient ADS, which initiates ADS with low reactor water level and a timer, is applied for US
ABWR, while manual depressurization is applied for conventional Japanese ABWR because ADS is
designed for LOCA, which initiates with both signal of high D/W pressure and low reactor water
level. For SLC injection, automatic initiation is applied for US ABWR, while manual initiation is
applied for Japanese ABWR. For alternative water injection system, ACIWA (AC-Independent Water
Addition system) to inject coolant into the RPV and D/W, which utilize fire protection system and a
fire truck is applied for US ABWR, while alternative water injection with fire protection system
(including diesel-driven pump) or Make-Up Water Condensate system (MUWC) to inject coolant
into the RPV and D/W is applied for Japanese ABWR.
4. Probabilistic Safety Assessment
Ver. 0
120
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 4.2.1.3-3 Comparison of database and modelling
between US ABWR DCD PSA and Japanese ABWR PSA
USABWR
Japanese ABWR
Initiating event
frequency
Transients : URD
LOCA: WASH-1400
Transients: National BWR record in
Japan
LOCA: NUREG-1829, and
NUREG/CR-5750
Component
failure rate
Failure Rate Data Manual for GE
BWR Components
National record in Japan [10]
Common Cause
Failure
Following dependent failures are
considered:
Following dependent failures are
considered:
Ex. transmission network, sensors
and transmitters (including
miscalibration), digital systems,
EDGs, batteries, SRVs
Ex. sensors and transmitters, digital
systems, EDGs, batteries and some
active component of HPCFs,
LPFLs/RHRs, RCWs/RSWs, HVACs,
DGFOs
(Generic component CCF is
additionally considered with MGL
(Multiple Greek Method).)
Beta factors taken from NUREG-1150,
NUREG/CR-1205 (Rev.1),
NUREG/CR-1363 (Rev.1),
NUREG/CR-2771,
SECY-83-293, P. A27
THERP
Human factor
THERP
Recovery
Recovery of off-site power, EDG
and RHR are considered.
Recovery of off-site power, EDG, and
RHR are considered. Recovery of
feedwater system and support systems
are considered depending on an
initiating event.
Test and
Maintenance
0.02 unavailability for each RCIC,
HPCF, RHR
Unavailability by test and maintenance
is calculated for RCIC, HPCF, RHR,
RCW/RSW, EDG
(Unavailability is lower than 10-3.)
Self-diagnosis
function of
digital system
Credited
Credited
(With some percentage, faults are found
out by self-diagnosis)
Major
differences in
mitigation
features
Combustion turbine generator
Transient ADS
Automatic SLC
AC-independent water addition
system
Multi-unit cross tie
Manual actuation of ADS
Manual SLC
Alternative coolant injection system
4. Probabilistic Safety Assessment
Ver. 0
121
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(3) Discussion on the order of CDF
The total CDFs from existing PSA results are 1.2×10-9 per year and 1.6×10-7 per year for Japanese
ABWR PSA and US ABWR DCD PSA, respectively. This difference is two orders of magnitude.
The potential contributors to this difference are;
-
Level of initiating event frequency
-
Level of component failure probability including CCF probability
-
Credit of recoveries
When CDF by PDSs for Japanese ABWR are compared with that of US ABWRs, the ratio of the
CDFs from each PDS is of similar level for all the PDSs. Then, the difference of initiating event
frequencies seems to be the most dominant factor to contribute this difference. The sensitivity
analyses regarding the initiating event frequency and recoveries are presented in the PSA support
document [9].
4. Probabilistic Safety Assessment
Ver. 0
122
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
4.2.2
Revision C
Shutdown PSA (Internal Level 1)
Section 4.2.2 describes an overview of shutdown PSA (internal level 1) of ABWR reactor core. The
description covers the procedure (4.2.2.1), the concept and model (4.2.2.2) and the insights from
indicative results (4.2.2.3) based on the practice and experience of Japanese ABWR with
emphasizing the characteristics of shutdown PSA against internal level 1 PSA during normal
operation. It should be noted that the Fukushima countermeasures to be implemented into UK
ABWR are not included here.
4.2.2.1
Procedure of shutdown PSA
A standard for shutdown PSA established by Atomic Energy Society of Japan [18] provides the
procedure of shutdown PSA as follows.
1. Investigation of plant information
2. Classification of Plant Operating State (POS)
3. Selection of initiating faults and estimation of their frequencies
4. Establishment of success criteria
5. Analysis of accident sequences
6. System reliability analysis
7. Human reliability analysis
8. Preparation of necessary parameters
9. Quantification of accident sequences
10. Uncertainty analysis and sensitivity analysis
11. Documentation
Those items except No.2 “Classification of POS” are basically the same as those of internal level 1
PSA during normal operation.
4.2.2.2
Model and Data
(1) Plant Operating State (POS)
In Japanese practice, partial power operation is enveloped by rated power operation in terms of PSA.
For BWRs including ABWR, the period between two important operations, “vacuum break of main
condensers” and “withdrawal of control rods”, is treated by shutdown PSA as illustrated in Fig.
4.2.2.2-1 because these operations significantly change the conditions of initiating events and
mitigating systems. That is to say, the main condensers are not available for decay heat removal
during such period.
4. Probabilistic Safety Assessment
Ver. 0
123
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
In Japanese ABWR, the plant state treated by shutdown PSA is further divided into 5 sub-states
(POSs) because 1) the mitigation systems to be considered change with the process of periodic
inspection, 2) the decay heat changes with time, and 3) the water inventory in the RPV changes with
the process of periodic inspection. The estimated time to core damage and thus the failure
probability of some recovery actions may change among POSs. The example of the five POSs used
in Japanese ABWR is describes below according to time series.
POS “S”: Transition to reactor cold shutdown:
This POS is defined as the period from “vacuum break of main condensers” to
“starting the procedure of opening the PCV/RPV top heads”. The water level in RPV is
the same as that of normal operation. The decay heat is being removed by one of the
three RHRs in the shutdown cooling mode. The mitigation systems to be considered in
PSA depend on the procedure of periodic inspection.
POS “A”: Transition to opening PCV/RPV top heads:
This POS is defined as the period from “starting the procedure of opening the
PCV/RPV top heads” to “completing stretch of reactor well”. The decay heat is still large
and the water level in RPV is higher than that in the normal operation. The decay heat is
being removed by one of the three RHRs in the shutdown cooling mode, which is the
same as the status S. The mitigation systems to be considered in PSA depend on the
procedure of periodic inspection.
POS “B”: Full water level in reactor well:
This POS is defined as the period from “completing stretch of reactor well” to “starting
drain off of reactor well”. The water inventory in RPV is large, so the heat up of reactor
coolant is considerably slow even if the decay heat removal is lost. Usually this status is
subdivided according to the available set of mitigation systems.
POS “C”: Transition to closing PCV/RPV top heads:
This POS is defined as the period from “starting drain off of reactor well” to
“completing the closing procedure of the PCV/RPV top heads”. Inspection and
maintenance of equipments are still continued in this period. The water level in RPV is
higher than that at normal operation and the decay heat is about 1/10 of that just after the
reactor shutdown.
POS “D”: Preparation of plant startup:
4. Probabilistic Safety Assessment
Ver. 0
124
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
This POS is defined as the period from “completing the closing procedure of the
PCV/RPV top heads” to “starting CR withdrawal for startup”. During this period,
inspection and maintenance of equipments are already completed, so many mitigation
systems except the turbine driven RCIC are stand-by status.
After the classification, the duration of each POS is established based on a representative case, a
particular case, or statistics of periodic inspection according to the purpose of shutdown PSA.
For operating plants, the duration of each POS may vary among past periodic inspections. When
shutdown PSA is carried out based on statistical application of past inspections, “time window
analysis” is an effective method for reflecting the variation of success criteria or time allowance
among POSs of the same category (ex. “B”) at different inspections that is caused by the variation
the decay heat level. The procedure of the time window analysis for particular POS (ex. “B”) is as
follows.
1) The influence of decay heat level on the success criteria or time allowance is analyzed.
2) A POS (ex. “B”) is subdivided into several “time windows” so that identical success criteria or
time allowance can be practically applied to the same category of the “time window” among
different inspections.
3) CDF per unit time is quantified for each time window.
4) Representative CDF for a POS is estimated by summing up “(CDF per unit time) x (duration of
time window)” for all the time windows and all the past inspections of interest.
The time window analysis enables us to include the types of shutdown other than periodic inspection,
such as unplanned shutdown, refuelling shutdown etc.
Reactor
Power
Time
Reactor Power
Decreasing
PSA at Power
Insertion of
all CRs
Vacuum Breaking
of Main Condenser
Withdrawing
of CRs
PSA at Shutdown
Rated Power
Operation
PSA at Power
Fig. 4.2.2.2-1 Division of plant state in practice of Japanese ABWR
4. Probabilistic Safety Assessment
Ver. 0
125
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(2) Initiating Faults
Generally, initiating faults for shutdown PSA are selected using master logic diagram. An example of
master logic diagram for Japanese ABWR is illustrated in fig. 4.2.2.1-2. The potential faults leading
to core damage can be mechanical failure of thermal failure of the fuel.
The mechanical failure is mainly caused by drop of a fuel bundle itself, so that the fuel failure is
localized and it would not lead to excessive core damage. In Japanese practice, the mechanical
failure of fuel is not included in the scope of shutdown PSA. The applicability of such treatment to
UK ABWR will be carefully discussed after STEP 1.
Thermal failure of fuel is caused by a mismatch of heat production and heat removal, which is
overpower or insufficient cooling of fuel. Overpower of fuel is potentially caused by CR withdrawal
error or miss-loading of fuel bundles. However, reactivity insertion and thus overpower are localized,
so that excessive core damage would not occur. In Japanese practice, the thermal failure of fuel by
overpower is not included in the scope of shutdown PSA. The applicability of such treatment to UK
ABWR will be carefully discussed after step 1.
After all, only the thermal failure of fuel due to insufficient cooling is treated in shutdown PSA like
level 1 PSA at power in Japanese practice. The insufficient cooling is caused by leakage or boil-off
of primary coolant.
In conventional BWR plants, the drain line of RHR is connected to the recirculation loop below the
reactor core at the shutdown cooling mode. In case of multiple human errors during switchover of
RHR shutdown cooling mode, leakage of primary coolant into the suppression pool through that
drain line and the inadvertently opened mini flow valve may lead to core uncovery. On the other
hand, the position of RHR drain line is above the reactor core region, so that leakage from that line
would not directly lead to core uncovery. In shutdown PSA of Japanese ABWR, such leakage is not
considered. Break of pipes connected to primary coolant boundary is also not considered in
shutdown PSA because the low pressure and temperature of coolant during most of shutdown would
make the probability of any pipe break extremely low. The leakage during shutdown period is
assumed to occur during inspection of CRD (Control Rod Drive), replacement of LPRM (Local
Power Range Monitor), inspection of RIP (Reactor Internal Pump), or inadvertent
mainly due to
human errors unique to shutdown state.
Boil-off of primary coolant is attributed to loss of RHR or loss of offsite power according to a
Hitachi-GE experience. Loss of RHR is caused by failure of either the front line or the support line
4. Probabilistic Safety Assessment
Ver. 0
126
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
(RCW/RSW). In the case of support line failure, HPCF and LPFL in the same division are also lost.
Potential fault
leading to core
damage
Mechanical
failure of fuel
Thermal failure
of fuel
Insufficient
cooling of fuel
Overpower of fuel
Leakage of
coolant
Boil-off of coolant
Loss of RHR
Loss of offsite power
Loss of primary
coolant boundary
*Reactivity
insertion
*Drop of heavy
equipments
*Not considered in shutdown PS A due to localized fuel failure
Considered in
shutdown PS A
Fig. 4.2.2.2-2 Example of master logic diagram for selecting initiating faults in
shutdown PSA
4. Probabilistic Safety Assessment
Ver. 0
127
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
(3) Accident Sequence Analysis
The set of mitigation (heat removal and water injection) systems credited and the relevant success
criteria in shutdown PSA are essentially different from those in level 1 PSA during normal operation.
The success of heat removal is that the coolant temperature is kept below 100°C when the RPV is
closed (POSs “S”, “A”, “C”, “D”) or 66 degree-C when the water level is in the reactor well (POS
“B”). The success of water injection is that the injection rate is larger than the evaporation rate and
leakage rate. An example of concrete set of success criteria are listed below.
Heat removal:
[
This information is removed intentionally
]
Water injection:
[
This information is removed intentionally
]
Reactor Core Isolation Cooling system (RCIC), Control Rod Drive (CRD) and Standby Liquid
Control system (SLC) have not been credited in shutdown PSA.
(4) System Analysis
As illustrated in Fig.4.2.2.2-2, the initiating faults considered in shutdown PSA are “Loss of RHR
(front line or support line)”, “Loss of offsite power” and “Loss of primary coolant boundary”. An
example of event tree for “Loss of primary coolant boundary” is shown in Fig.4.2.2.2-3.
4. Probabilistic Safety Assessment
Ver. 0
128
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
The failure probability of each heading in event trees is estimated by fault tree analyses, which is
essentially the same, including the failure rate database, as level 1 PSA during normal operation.
Leakage
Cognition of decreasing
Isolation of leakage path
water level
Mitigation system
Sequance group
OK
OK
Core damage
Core damage
Fig. 4.2.2.2-3 Example of event tree in shutdown PSA
(5) Human Reliability Analysis
The characteristics of shutdown PSA in terms of human errors are summarized below.

All the mitigation systems are manually initiated because automatic initiation is
not always available in shutdown period.

Available times for recovery actions are long due to large ratio of water inventory
to decay heat.

Cognition errors are important.
In the fault tree analysis, failure of manual startup is considered for all the mitigating systems.
Human errors leading to inadvertent stop of the systems having continuously operated during
periodic inspection are also considered. Since Fire Protection system is prepared as an AM measure,
4. Probabilistic Safety Assessment
Ver. 0
129
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
an error of realizing necessity of Fire Protection system and selecting necessary valves to open at the
job site are considered as the dominant ones.
When loss of RHR or loss of offsite power occurs as an initiating fault, the timing of manual
actuation on the mitigating system(s) is important. If it is before the primary coolant temperature
reaches 100 degree-C (for all POSs except “B”) or 66 degree-C (for POS “B”), failure of the
mitigation system(s) does not immediately lead to core damage but recovery of the heat removal
system and the water injection system is further considered as the headings. On the other hand,
failure of the mitigation systems(s) after the primary coolant temperature reaches the above limit is
assumed to result in core damage. Therefore, cognition of the necessity of short-term diagnosis is set
as the heading in the event trees of “loss of RHR” and “loss of offsite power” just before the heading
of mitigating system.
When loss of primary coolant occurs as an initiating fault, failure of recognizing a decrease in the
water level by start of core uncovery is supposed to result in core damage, so cognition error of the
decreasing water level is the first heading just after the initiating fault as exemplified in Fig.
4.2.2.1-3. However, the cognition error is supposed to be negligible in Japanese practice if the
leakage is caused through inspection of CRD, replacement of LPRM, or inspection of RIP. That is
because the time to start of core uncovery is estimated to be [
intentionally
[
This information is removed
] hours. On the other hand, the leakage through the CUW blow valve allows
This information is removed intentionally
] hour, so that cognition errors of decreasing water
level in the central control room and excess flow to the Rad. Waste (RW) tank in the RW facility are
considered. Once the decrease in the water level due to loss of primary coolant boundary is
successfully recognized, following isolation of the leakage path is of interest. Failure probabilities of
such isolation works are considered in the event tree.
(6) Quantification
The quantification process is basically the same as that of level 1 PSA during normal operation. The
characteristics of shutdown PSA in terms of quantification are summarized below.

IE is calculated by field data or generic data.

CDF per day is calculated for all POSs (and time windows if necessary).

The calculated CDFs per day are integrated to a CDF per periodic inspection.
4. Probabilistic Safety Assessment
Ver. 0
130
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
4.2.2.3
Revision C
Insights from Indicative Results
Here, the insights from a past study of a Japanese ABWR plant are summarized. The average CDF
per periodic inspection is smaller than the average CDF per year during normal operation. That is
basically owing to the larger ratio of water inventory to decay heat.
Among the initiating faults, loss of offsite power has the biggest contribution followed by loss of
primary coolant boundary, loss of RHR support line and loss of RHR front line. The biggest
contribution of loss of offsite power is mainly because the available systems for mitigation are
limited.
For each initiating faults, POS “C” (transition to closing PCV/RPV top heads) has the biggest
contribution among the POSs. Therefore, the most contributing POS is “C” followed by “D”. The
other POSs are not dominant. That is mainly because [
intentionally
[
This information is removed
]
This information is removed intentionally
]
Another important insights is that human factor may have big impact. [
removed intentionally
This information is
]
4. Probabilistic Safety Assessment
Ver. 0
131
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
4.2.3
Revision C
Internal Event Level 1 PSA (Spent Fuel Pool)
As PSA for Spent Fuel Pool (SFP) has not been carried out for Japanese BWRs including ABWR, it
will be newly developed for UK ABWR. In this section, scope of internal level 1 PSA for SFP, called
“SFP PSA” here, is discussed referring to the STEP1b S9b “Initial Safety Case report on Spent Fuel
Storage Pool”[19] and taking some analogy with shutdown PSA discussed in 4.2.2.
4.2.3.1
Initiating Faults
In the STEP1b S9b “Initial Safety Case report on Spent Fuel Storage Pool” [19], the following
Postulated Initiating Events (PIEs) caused by internal faults are proposed.
Single failure:
[
This information is removed intentionally
]
Multiple failures:
[
This information is removed intentionally
]
Infrequent single failure:
[
This information is removed intentionally
]
The initiating faults for SFP PSA will be selected based on those PIEs and a master logic diagram
like shutdown PSA (see 4.2.2.2). In the SFP design, there is no piping connected to the SFP below
the top of fuel bundle, so that the leakage caused by a pipe break would not immediately lead to fuel
bundle uncovery. By analogy with shutdown PSA, the direct damage of fuel by dropped load might
not be included in the scope of SFP PSA. The applicability of such treatment in shutdown PSA and
spent fuel PSA to UK ABWR will be carefully discussed after step 1.
At this moment, the SFP risk (internal) is regarded to mainly come from SBO and LUHS.
4. Probabilistic Safety Assessment
Ver. 0
132
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
4.2.3.2
Revision C
Accident Sequence Analysis and System Analysis
The candidate countermeasures to mitigate the SFP PIEs are introduced in section 4.3 of the STEP1b
S9b “Initial Safety Case report on Spent Fuel Storage Pool” [19]. The key phenomena which the
success criteria of the countermeasures in SFP PSA are based on are;

SFP water temperature reaching 66 degree-C (from analogy with shutdown PSA)

SFP water temperature reaching 100 degree-C (from analogy with shutdown PSA)

Start of fuel bundle uncovery

Peak Clad Temperature (PCT) reaching 1200 degree-C (from analogy with level 1
PSA during normal operation)
Event trees for selected initiating faults (perhaps for each POS) will be developed. The failure
probability of each heading in event trees will be estimated by fault tree analyses. Those processes
will be essentially the same, including the failure rate database, as level 1 PSAs during normal
operation and shutdown PSA.
4.2.3.3
Human Reliability Analysis
A HRA regarding SFP faults is also new item. That will be developed in strong collaboration with
the activities on Fault Schedule, Human Factor, C&I, etc. Due to relatively long available time and if
some mitigation systems are to be initiated manually, cognition errors might be important from
analogy with shutdown PSA.
4.2.3.4
Expected Risk Insights
Although SFP PSA has not been carried out yet, the expected risk insight is discussed here from
analogy with shutdown PSA, especially the POS “B (Full water level in reactor well)” due to the
similarity in water inventory, heat rate and available mitigation systems. In a past study of shutdown
PSA for Japanese ABWR, the average CDF per periodic inspection is smaller than the average CDF
per year during normal operation. The contribution of POS “B” is not dominant. From those two
things, it can be reasonably expected that average CDF in SFP PSA will be probably well below
those in internal level 1 PSA during normal operation and shutdown PSA.
4. Probabilistic Safety Assessment
Ver. 0
133
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4.3 Internal Event Level 2 PSA
This sub-section describes model description, severe accident analysis, and indicative results from
experience and LRF estimate, regarding to internal event Level 2 PSA at power.
4.3.1
Internal Event Level 2 PSA (Reactor core during normal operation)
4.3.1.1 Procedure of Internal Event Level 2 PSA
A standard for Internal Level 2 PSA during power operation established by Atomic Energy Society
of Japan [20] provides the procedure of the PSA as follows.
1. Investigation of plant information
2. Classification of plant damage states and estimation of their frequencies
3. Establishment of containment failure mode
4. Analysis of accident sequences
5. Accident progression analysis
6. Quantification of accident sequences
7. Classification of release category and estimation of their frequencies
8. Source term analysis for each release category
9. Uncertainty analysis and sensitivity analysis
10. Documentation
4.3.1.2
Model
(1) Interface: Definition of PDSs
Considering interfaces between Level 1 PSA and Level 2 PSA, following plant damage states (PDS)
explained in 4.2 are used. Definitions of PDSs are described below. These PDSs are categorized in
the view point of initiating events, similarity of plant thermal hydraulic characteristics (pressure in
reactor, timing of core damage, timing of containment failure, core debris coolability, heat removal,
and etc.), and availability of mitigation systems.
LOCA
This PDS includes large LOCA with injection failure, medium LOCA with injection failure and
small LOCA with injection failure. Core damage shortly occurs at low RPV pressure. Availability of
debris cooling measures and heat removal measures are treated in probabilistic way in the
containment event tree.
TQUV
The PDS “TQUV” is Transient including manual shutdown and special initiators, followed by
4. Probabilistic Safety Assessment
Ver. 0
134
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
failures of feedwater system, high pressure ECCS and low pressure ECCS. Since reactor
depressurization is succeeded or the RPV pressure decreases due to inadvertent opening of SRV, the
RPV pressure at the moment of core damage is categorized as low. The timing of core damage is
categorized as short. The PCV spray system might be available. In Level 2 PSA, the availability of
this system as the debris cooling measure and heat removal measure is treated in probabilistic
approach under the failure of low pressure ECCS, because the PCV spray system shares the pumps
and valves with the low pressure ECCS.
TQUX
The PDS “TQUX” is Transient including manual shutdown and special initiators, followed by
failures of feedwater system, high pressure ECCS and reactor depressurization. Since high pressure
injection measures are lost and reactor depressurization fails, core damage occurs at high pressure in
short term. The low pressure ECCS for debris cooling and heat removal is credited with the same
unavailability as used in Level 1 PSA.
Common TB group (station blackout) is further divided into 4 PDSs from the viewpoint of PCV
response. Availability of the debris cooling measures and heat removal measures is treated in
probabilistic way, since it depends on recovery of AC/DC powers. Note that the Fukushima
countermeasures, e.g. AC independent water injection by fire trucks and diesel driven pumps, are not
credited in the PSA of this document.
Long-term TB
Long term station blackout (long term TB), including failures to recover offsite power by 30 minutes
and 8 hours, occurs but high pressure injection is maintained till DC power is exhausted. The timing
of core damage is long term. Since the exhaustion of DC power disables manual depressurization by
SRV as well as RCIC, the RPV pressure is high at the moment of core damage.
TBU
The PDS “TBU” is station blackout (TB), including failure to recover offsite power by 30 minutes,
is followed by failure of RCIC. Due to the station blackout, no water injection measures including
alternative water injection are available. Thus, reactor is not depressurized despite of DC power
available. Resulting core damage occurs in short term at high pressure.
4. Probabilistic Safety Assessment
Ver. 0
135
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
TBD
In the PDS “TBD”, failure of RCIC is caused by failure of DC power while it is due to failure of
RCIC itself in TBU. The structure of containment event tree for TBD is the same as that for TB
because DC power is not available in both PDSs.
TBP
Station blackout (TB) is followed by failure to re-close SRV. Reactor depressurization results in
disabled RCIC, thus core damage occurs shortly at low pressure. In the containment event tree
analysis, TBP is reprehensive by TBU from the viewpoint of credited mitigation measures.
TW
In this PDS, water injection to the core is successful but heat removal from PCV fails. As a result,
PCV fails due to overpressure and it results in core damage (long term) at high pressure due to due
to loss of RCIC and HPCF. Since PCV is assumed to have always failed at the moment of core
damage, containment event tree analysis is not conducted. However, sever accident analysis is
conducted for a representative scenario.
TC
In this PDS, water injection to the core is successful but heat removal from PCV is not enough due
to failure of keeping sub-criticality. PCV overpressure failure occurs earlier than TW. Then, core
damage occurs shortly at high pressure due to loss of RCIC and HPCF like TW. Containment event
tree analysis is not conducted. However, sever accident analysis is conducted for a representative
scenario.
In TC and TW, containment fails earlier than core damage. Therefore, no event tree is necessary for
these sequences. Containment event tree analysis is carried out for other seven PDSs.
The dependencies between the PDSs and subsequent sequences are carefully examined.
(2) Failure mode of containment
Failure modes of containment are described below. Hydrogen combustion is not included because of
the combustion characteristics in inert containment. Justification of it is performed in a future work.
4. Probabilistic Safety Assessment
Ver. 0
136
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
Overpressure by steam (decay heat)
Pressure increases slowly by accumulation of steam generated by decay heat of the core when
debris (molten core) is cooled. This event is prevented by cooling core debris and appropriate
removal of decay heat from containment.
Steam explosion
The thermal energy of debris is converted to mechanical energy instantaneously when a lot of
high temperature material drops into water. Probability of occurrence of steam explosion and its
effect on structural integrity of containment is studied in Level 2 PSA.
Overpressure in case of failure of maintaining sub-criticality
Containment pressure rises due to a steam generated in the core at early stages of accidents.
This event is prevented by reactivity control in Level 1 PSA.
Penetration overtemperature
Inside containment is heated slowly by overheated steam or high temperature gases if core debris
is not covered by water. Non-metallic parts of penetrations lose its integrity in high temperature
environment. This event is prevented by coolant injection to debris, and/or by containment
cooling using D/W spray.
Direct Containment Heating
With a failure of RPV depressurization, the core debris ejects from the RPV, the molten core
debris might fragment into small particles and Direct Containment Heating (hereafter called
DCH) might occur. Therefore, atmosphere in containment is heated directly in case when RPV
failure occurs at high pressure, which may lead to failure of containment.
This event is prevented by RPV depressurization adequately.
Molten core concrete interaction
After RPV failure, if debris on the lower D/W is not cooled, concrete is eroded by molten core
concrete interaction (hereafter MCCI). Then base-mat melt-through occurs and it might lead to
containment failure finally. This event is prevented by cooling debris in the pedestal
Failure of containment isolation
Isolation of containment already fails at the time of core damage. Leakage of radioactive
material from containment cannot be prevented. Therefore this mode is treated as threatening
containment integrity. This event is prevented by isolating containment.
4. Probabilistic Safety Assessment
Ver. 0
137
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
(3) Accident Sequence Analysis
The accident sequence might be changed from existing model because of some design change for
UK ABWR. However, accident sequence model of existing Level 1.5 PSA, which calculates the
CFF (Containment Failure Frequency), can be also the basis of Level 2 PSA for UK ABWR.
Accident sequence for each PDS is described below.
a. TQUX
In this condition, high pressure injection systems are assumed to be not available by some reasons.
ADS is initiated by both signals low reactor water level (Level1.5) and high D/W pressure.
During transient events, high D/W pressure is too late to prevent core damage considering heat
sink capacity of containment. Therefore, in Level 1 PSA, manual actuation of SRVs is necessary.
However, in Level 2 PSA, time margin for this signal is enough until RPV failure. With automatic
actuation of ADS or manual actuation of SRVs followed by low pressure injection with LPFL or
alternative water injection (as AM measure), RPV failure can be prevented.
If the RPV failure is prevented, stable state can be achieved by long-term heat removal with RHR.
If the RHR fails, the containment can fail by overpressure like “TW” sequence.
If the RPV fails due to failure of water injection to damaged core, accident progression is similar
to that of TQUV explained later. With a failure of RPV depressurization, early containment
failure can occur by direct containment heating (DCH). If containment is intact even after
low-pressure RPV failure or high-pressure RPV failure (without DCH), core debris on the lower
D/W floor needs to be cooled to stop progression of MCCI. Containment failure by MCCI is
prevented by coolant injection into lower D/W and D/W spray with RHR / alternative water
injection system. Steam explosion during the debris cooling is also considered. Including above
things, containment failure is avoided if core debris is cooled and long-term heat removal is
maintained. Figs.4.3.1.2-1 through 4.3.1.2-3 show conceptual diagram of the containment event
tree for TQUX.
b. TQUV
Deference of TQUV from TQUX sequences is that RPV pressure is considered low. Containment
failure is avoided if core debris is cooled and long-term heat removal is maintained as is
mentioned in TQUX.
c. LOCA
Accident sequence of LOCA in Level 2 PSA is almost the same as that of TQUV. Only the
4. Probabilistic Safety Assessment
Ver. 0
138
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
difference is that before RPV fails, pool is generated in the lower D/W because of steam is
released to D/W by LOCA. If the RPV fails, steam explosion by core debris dropping into this
pond is considered.
d. TB group
TB group (station blackout) is divided into 2 subgroups (TBU/TBP and long term TB/TBD) in
terms of availability of DC power at the moment of core damage.
In TBU, core damage occurs at high pressure in short term due to the failure of RCIC itself. In
TBP, core damage occurs at low pressure in short term because failure to re-close SRV disables
the RCIC. From the viewpoint of Level 2 PSA, those PDSs are similar since DC power itself is
assumed to be intact. In Hitachi-GE generic PSA, TBU and TBD shares the same event tree.
Since the RPV pressure is high at the moment of core damage in TBU, the event tree structure is
basically the same as that of TQUX except that “AC power recovery” is added before/after the
RPV failure. Automatic depressurization dependent on DC power is credited like TQUX. When
quantifying the containment event tree for TBP, in which core damage occurs at low pressure,
failure probability of automatic depressurization is set as negligibly small. Since the low pressure
ECCS itself is intact in station blackout condition, recovery of AC power before RPV failure
enables injection into RPV by the low pressure ECCS or alternative water injection. Similarly,
recovery of AC power even after RPV failure but before PCV failure enables debris cooing, PCV
spray by RHR or alternative water injection, and long term heat removal by the RHR. Although
the alternative water injection includes motor-driven MUWC pumps and diesel-driven fire
protection (FP) pumps, the failure to recover AC power is assumed to lead to containment failure,
which means that alternative water injection is not credited under station blackout condition.
In the PDS “long term TB”, core damage occurs after the RCIC has stopped due to exhausted
DC power in the Level 1 analysis. In TBD, DC power is also lost before core damage. Both of TB
and TBD need recovery of DC power for reactor depressurization and AC power recovery. The
difference from TBU/TBP is that the “DC power recovery” is considered. The former recovery is
essential for reactor depressurization and AC power recovery before RPV failure which may
enable cooling of damaged core inside the RPV by low pressure ECCS or alternative water
injection. The latter recovery is essential for AC power recovery which enables debris cooling and
PCV spray by RHR or alternative water injection, and also long term heat removal by the RHR.
Although the alternative water injection includes motor-driven MUWC pumps and diesel-driven
fire protection (FP) pumps, the failure to recover AC power is assumed to lead to containment
failure, which means that alternative water injection is not credited under station blackout
4. Probabilistic Safety Assessment
Ver. 0
139
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
condition.
(4) Accident progression analysis
MAAP is used in the UK ABWR PSA. This analysis includes models for the important accident
phenomena that might occur within primary system, in the containment, and in the reactor building.
MAAP calculates the progression of the postulated accident sequence, including the deposition of
the fission products, from a set of initiating events to either a safe, stable state or to an impaired
containment condition (by over-pressure or over temperature) and the possible releases if fission
products to the environment.
To establish that the MAAP code is capable of addressing the above purpose and uses, numerous
benchmarks have been performed, both with respect to individual models and for the integral
response of reactor systems. These benchmarks provide insights into the code performance and
confidence in the capabilities of MAAP to represent individual phenomena as well as the integral
response of reactor systems, including the influences of operator actions.
Accident analyses for accident progression are prepared for 6 representative sequences. Each
sequence represents each PDS. Analysis conditions are described below.
a. TQUV
Accident analysis conditions for TQUV are described below
-
For initiating event, transient event with MSIV closure is assumed.
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
In the view point of conservativeness, loss of all feedwater flow and without stuck open relief valve
condition is chosen.
b. TQUX
Accident progression analysis conditions for TQUX are described below
-
For initiating event, transient event with MSIV closure is assumed.
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
In the view point of conservativeness, loss of all feedwater flow and without stuck open relief valve
4. Probabilistic Safety Assessment
Ver. 0
140
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
condition is chosen.
c. Long term TB
Accident progression analysis conditions for TB are described below
-
For initiating event, loss of off-site power is assumed.
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
In this case, RCIC runs for 8 hours.
d. TW
Accident progression analysis conditions for TW are described below
-
For initiating event, transient event with loss of all feedwater flow is assumed.
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
In the view point of conservativeness, loss of all feedwater flow and without stuck open relief valve
condition is chosen.
e. TC
Accident progression analysis conditions for TC are described below
-
For initiating event, transient event with spurious closure of MSIV is assumed.
-
[
This information is removed intentionally
]
-
[
This information is removed intentionally
]
In the view point of conservativeness, spurious closure of MSIV is chosen for initiating event.
f. LOCA
Accident analysis conditions for LOCA are described below
-
For initiating event, guillotine break of feedwater piping is assumed.
-
[
This information is removed intentionally
]
For Japanese ABWR PSA, acceptance criteria of containment are [
intentionally
intentionally
] times of design pressure and about [
This information is removed
This information is removed
] degree-C. Acceptance criteria of containment condition will be reviewed by
appropriate method.
4. Probabilistic Safety Assessment
Ver. 0
141
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
For following physical phenomena, branch probabilities of a heading of event trees are calculated.
Dominant parameters with large uncertainty are selected, and statistical distribution of criterion
parameter is generated to decide branch probability.
 Steam Explosion
 Direct Containment Heating
 Debris Cooling(MCCI)
(5) Fission Product release category
Containment failure sequences are categorized into 16 groups as shown below, considering
containment integrity, release timing, release path, duration, and scrubbing effect, and etc.
Indicative analysis conditions are described in PSA support document [9].
[
This information is removed intentionally
]
4. Probabilistic Safety Assessment
Ver. 0
142
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Plant
Damage
State
Revision C
T2
T1
Containment RPV
Isolation
Depressuriz
ation
Low
Pressure
ECCS
Containment
failure by
FCI
Containment
Failure by
DCH
Containment Condition /
Rink to Other Trees
Containment
failure by
Shell Attack
Intact RPV ／Containment Pressurizing
sequence(T3A)
RPV Failure Sequence(T3B)
Containment failure (Ex-vessel FCI)
RPV Failure Sequence(T3B)
Containment failure(Shell Attack) [*1]
Containment failure(DCH)
Containment failure(Ex-vessel FCI)
Containment Isolation failure
Fig. 4.3.1.2-1 Conceptual diagram of event tree for TQUX (1/3)
Coolant Injection into Containment
Following
Event
ECCS Spray
Alternative
Spray
Long
Term
Cooing
Contain
ment
Venting
Containment
Condition
Stable state without
containment venting
Containment Venting
Containment Failure
(Overpressure)
Stable state without
containment venting
Containment Venting
Containment Failure
(Overpressure)
Stable state without
containment venting
Containment Venting
Containment Failure
(Overpressure)
Fig.4.3.1.2-2 Conceptual diagram of event tree for TQUX (2/3)
4. Probabilistic Safety Assessment
Ver. 0
143
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
T1/T2
Followi
ng
Event
T3B
Injection into containment
With RHR
Lower
D/W
injection
With alternative
coolant Injection
Upper
D/W
spray
Lower
D/W
injection
Upper
D/W
spray
FCI
at
Injectio
n into
contain
ment
Debris
Cooling
Long
Term
Cooing
Contain
ment
Venting
Contain
ment
failure
by
overpres
sure
Containment
Condition
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Containment Failure (Over temperature)
Containment Failure (MCCI continue)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Containment Failure (Over temperature)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Stable state without containment venting
Containment Venting
Containment Failure (Overpressure)
Containment Failure (MCCI)
Containment Failure (Over temperature)
Containment Failure (Ex-vessel FCI)
Containment Failure (Over temperature)
Fig. 4.3.1.2-3 Conceptual diagram of event tree for TQUX (3/3)
4. Probabilistic Safety Assessment
Ver. 0
144
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
4.3.1.3
Revision C
Indicative results
(1) Results from Japanese ABWR
Existing internal Level 1 and Level 1.5 PSA results for Japanese ABWR are introduced here.
Reference documents are same as those introduced in section 4.2.1 [13] [14] [15]. Table 4.3.1.3-1
shows the CDFs, CFFs and CCFPs (conditional containment failure probabilities) calculated by the
utility and JNES. Mitigation features credited in the PSAs are shown in Table 4.3.1.3-2.CCFP
estimated by both parties are within the range of 0.1~0.4.
Fig.4.3.1.3-1 shows the containment failure frequency by the containment failure modes. The
containment failure mode “penetration overtemperature” and “overpressure by steam” are first and
second largest contributors to the total CCF in both the results by the utility and JNES. Penetration
overtemperature occurs if coolant injection into RPV or containment remains fail. TB sequences in
which AC power supply remains lost even after the RCIC terminates at 8 hours (in case of long term
TB) largely leads to RPV failure with this failure mode. In this case, containment spray with RHR
after recovery of AC power, or containment spray with alternative water injection can prevent
“penetration overtemperature”. The dominant factor of overpressure by steam is TW sequence.
Recovery of RHR or containment venting can prevent this failure mode.
Table 4.3.1.3-1 PSA results (Containment failure frequency)
[
This information is removed intentionally
4. Probabilistic Safety Assessment
Ver. 0
]
145
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
Table 4.3.1.3-2 Mitigation features credited in Japanese ABWR PSA
[
This information is removed intentionally
4. Probabilistic Safety Assessment
Ver. 0
]
146
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
1.0E-07
Utility
Core Damage Frequency(/y)
1.0E-08
JNES
1.0E-09
1.0E-10
1.0E-11
1.0E-12
1.0E-13
1.0E-14
1.0E-15
1.0E-16
Fig.4.3.1.3-1 Containment failure frequency
(This figure is developed from the data in ref. [15])
4. Probabilistic Safety Assessment
Ver. 0
147
NOT PROTECTIVELY MARKED
NOT PROTECTIVELY MARKED
Form05/00
GDA Preliminary Safety Report
UK ABWR
Revision C
(2)Results from USABWR DCD PSA (NUREG-1503[17])
Major difference of mitigation features in Level 2 PSA between US ABWR and Japanese ABWR is
passive mitigation used in US ABWR. It consists of LDF (Lower D/W Flooder system), which
supply water to the lower D/W to cover the debris there from S/P after RPV failure, and COPS
(Containment Over Pressure protections system), which is a passive containment venting system.
The LDF consists of pipes that run from the vertical pedestal vents into the lower drywell. Each pipe
contains a fusible plug valve connected to the end of the pipe that extends into the lower drywell by
a flange. The fusible plug valves open when the drywell atmosphere (and subsequently the fusible
plug valve) temperature reaches 260 degree-C.
Table 4.3.1.3-3 shows the CFFs and CCFPs of US ABWR performed by GE and NRC. There are
two criteria for defining containment failure, i.e., structural integrity and dose definition. The higher
CCFP estimated by NRC than by GE based on the structural integrity is due to (1) contribution from
unisolated LOCAs outside containment and (2) increased probability of containment failure by DCH.
The higher CCFP estimated by NRC than by GE is because doses excess of 25 rem at 0.8 km occur
only when structural integrity is breached in GE’s result while 60% of the frequency of sequences
with COPS actuation is treated as containment failure in addition to breached structural integrity in
NRC’s result. However, NRC concluded that CCFP of 0.1 met the Commission’s safety goal.
Table 4.3.1.3-3 Containment failure probability of USABWR DCD PSA
(NUREG-1503 [17])
GE Updated PRA
Performance
Measure
Containment
Failure
Staff- Adjusted Result
(U.S. NRC cross check result)
Containment
Conditional CFP
Probability (CFP)
Failure
Conditional CFP
Probability (CFP)
Structural
Integrity
7.7E-10
0.005
4.1E-9
0.026
3E-10
0.002
1.6E-8
0.10
Dose
Definition (*)
(*) 25rem at 0.8km
4. Probabilistic Safety Assessment
Ver. 0
148
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
4.3.2
Revision C
Internal Event Level 2 PSA (Shutdown and Spent Fuel Pool)
For the period during the RPV/PCV top heads closed, the primary coolant boundary and the PCV
can be credited as the barriers of radioactive materials, so that level 2 PSA supported by severe
accident analysis will be essentially the same as level 2 PSA for normal operation. Resulting source
term is expected to be of similar level to the severe accidents initiated from normal operation.
For the period during the RPV/PCV opened, on the other hand, only the secondary containment
facility (reactor building) would be the barrier after radioactive materials are released from the fuel
rods. Countermeasures for minimizing source term will be rather important.
is removed intentionally
[
This information
] Countermeasures against hydrogen issues will also contribute to
source term reduction. Scribing of volatile Fission Products by flooding damaged fuel will be also
important. Now, it should be emphasized that the CDF during the period with the RPV/PCV opened
(mostly POS “B”) is not dominant based on a past study in Japan. The method of level 2 PRA for
such period is to be discussed. The simplest way is to set the conditional large release frequency as
1.0 and to assume certain release fraction of Fission Products to the total inventory according to past
experiments.
Methodology of internal level 2 PSA for SFP will be basically applicable from that for shutdown
PSA. Based on this assumption, currently expected CDF (internal) for SFP is small as discussed in
4.2.3.5.
In addition, compliance to the targets 7, 8, 9 in SAP will be assessed for shutdown condition, SFP as
well as the reactor at normal operation.
4. Probabilistic Safety Assessment
Ver. 0
149
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4.4 Internal Event Level 3 PSA
This sub-section describes approach of Level 3 PSA. In the early phase of GDA, evacuation plan,
which is critical to risk reduction, is not defined. In this limited condition, Level 3 PSA will be
conducted by using generic site condition. With regard to quantification of risk, source term will be
analyzed by using MAAP code, and consequence analysis will be performed by adequate code.
A fuel scope PSA is currently considered for UK ABWR GDA and this will enable comparison with
Target 7, 8, and 9 to be made. An approach to a Level 3 PSA will be defined. The development plan
will be discussed with ONR /EA.
4. Probabilistic Safety Assessment
Ver. 0
150
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
4.5 External Event PSA
This sub-section describes approach of external event PSA.
(1) General
Based on assessment on internal hazards and external hazards, hazards that have important risk
features are selected by simple qualitative screening process. PSA for selected hazard will be
conducted in GDA.
Basically, earthquake, internal flooding and internal fire are assumed to have important risk features
and will be at least assessed with probabilistic approach.
(2) Seismic PSA (Seismic Margin Analysis)
Because seismic hazard assessment with site-specific data will not be performed in GDA, the risk of
seismic events was evaluated by seismic margin analysis.
Important sequence and important
component in terms of seismic risk are extracted by this analysis. Earthquake resistance is not dealt
with in GDA. Therefore, generic data is basically applied and plant-specific data is applied if
available.
From existing study, SBO caused by loss of component cooling systems, which has lots of
components, is an important sequence. Against this type of sequence, improvement of seismic
resistance for component cooling systems for safety systems or systems for core cooling and
long-term cooling which do not need component cooling systems such as RCIC, FLSS after
depressurization, and containment venting have important role on mitigation in this uncertain event.
(3) Internal Flooding PSA
Potential flooding source and its failure frequency for internal flooding PSA is based on the internal
hazard study. Therefore, internal flooding PSA is preformed after deterministic study of it.
Assessment of the reliability with components that survive after the flooding is performed in the
same way as internal events.
From existing study, important internal flooding sequences are as follows.
Turbine building
・A large pipe breaks in the CWS
・The isolation valves in the CWS lines fail to close
・Water fills up and runs out of the condenser pit
4. Probabilistic Safety Assessment
Ver. 0
151
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
・The fire door between the turbine building and service building is either open or fails open
allowing water into the service building
・The service building floods and a door between the service building and the control building
fails open or is open.
Reactor building
・A large pipe breaks in the RSW piping in the RSW/RCW room and the operator fails to isolate
the flooding
Internal flooding PSA for UK ABWR is performed considering its characteristics of layout.
(4) Internal Fire PSA
Potential fire source and its ignition frequency for internal fire PSA is based on the internal hazard
study. Therefore, internal fire PSA is preformed after deterministic study of it. Assessment of the
reliability with components which survive after the fire is performed in the same way as internal
events.
[
This information is removed intentionally
]
Internal fire PSA for UK ABWR is performed considering its characteristics of layout.
4. Probabilistic Safety Assessment
Ver. 0
152
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
4.6 Conclusions
Risk reduction features of UK ABWR design in terms of redundancy, diversity and independency
will be demonstrated by PSA. UK ABWR PSA results will be compared with SAP target 7 and target
9, and its validity will be evaluated. In addition, it is used to improve design and operational
procedure.
4. Probabilistic Safety Assessment
Ver. 0
153
NOT PROTECTIVELY MARKED
Form05/00
UK ABWR
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
Revision C
5. Conclusions
Draft initiating events for DSA as the start line of our discussion has been developed by qualitative
analysis considering frequency, severity and representativeness as shown in Table 2.2-1. Also, Draft
fault schedule has been developed on the basis of Hitachi-GE practice. The list of initiating events,
fault schedule and fault sequence will be developed during all modes of operation in Step 2.
In this document, examples of DSA performed based on Hitachi-GE practice are presented.
According to these analysis results, acceptance criteria in Japan are met by safety systems on
Japanese ABWR. DSA for UK ABWR will be performed to confirm the adequacy of the safety
design and the suitability and sufficiency of the safety measures against target 4 in HSE SAPs in
Step2.
Risk reduction features of UK ABWR design in terms of redundancy, diversity and independency
are demonstrated by PSAs. UK ABWR PSA results are compared with SAP target 7 and target 9,
and its validity is evaluated. In addition, it is used to improve design and operational procedure.
The following is a development plan of PSAs for UK ABWR during GDA:
5. Conclusions
Ver. 0
154
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
6. Reference
[1] NSCRG:L-SE-I.0 Regulatory Guide: Evaluating Safety Assessment of Light Water Reactor
Facilities, Revision on March 29, 2001 by the Nuclear Safety Commission
http://www.nsr.go.jp/archive/nsc/NSCenglish/guides/nsc_rg_lwr.htm
http://www.nsr.go.jp/archive/nsc/NSCenglish/guides/lwr/L-SE-I_0.pdf
[2] NSCRG: L-SE-I.03 Regulatory Guide for Evaluating Reactivity Insertion Events of Light
Water Nuclear Power Reactor Facilities, Revision on August 30, 1990 by the Nuclear Safety
Commission
http://www.nsr.go.jp/archive/nsc/NSCenglish/guides/lwr/L-SE-I_03.pdf
[3] NSCRG: L-SE-I.02 Regulatory Guide for Evaluating Emergency Core Cooling System
Performance of Light Water Power Reactors, Revision on July 11, 1992 by the Nuclear Safety
Commission
http://www.nsr.go.jp/archive/nsc/NSCenglish/guides/lwr/L-SE-I_02.pdf
[4] Establishment permission application document of the nuclear power station (Kashiwazaki
-Kariwa unit 6/7) (in Japanese), March 1998,by Tokyo Electric Power Company
[5] SC-P008:2008: A Standard for Procedures of Probabilistic Safety Assessment of Nuclear
Power Plants during Power Operation (Level 1PSA) (in Japanese), March 2009, by Atomic
Energy Society of Japan (AESJ)
[6] TR-016780-V2R8: Advanced Light Water Reactor Utility Requirements Document, Volume 2,
Revision 8: ALWR Evolutionary Plant, March 1999, by EPRI
http://www.epri.com/abstracts/Pages/ProductAbstract.aspx?ProductId=TR-016780-V2R8
[7] NUREG-1829: Estimating Loss-of-Coolant Accident (LOCA) Frequencies Through the
Elicitation Process, April 2008, by U.S.NRC
http://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr1829/
[8] NUREG/CR-5750: Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995,
February 1999, by Idaho National Engineering and Environmental Laboratory
http://pbadupws.nrc.gov/docs/ML0618/ML061860698.pdf
[9] GA21-9910-0001-00001: PSA Support Document, December 2013, Hitachi-GE Nuclear
Energy, ltd.
[10] Estimation of national general component failure rate considering uncertainties about number
of failure cases, May 2009, by The Japan Nuclear Technology Institute (JANTI)
http://www.nucia.jp/jfiles/reliability/REPORT200905.pdf
[11] NUREG/CR-1278: Handbook of Human Reliability Analysis with Emphasis on Nuclear Power
Plant Applications, August 1983, by U.S.NRC
http://pbadupws.nrc.gov/docs/ML0712/ML071210299.pdf
6. Reference
Ver. 0
155
NOT PROTECTIVELY MARKED
Form05/00
NOT PROTECTIVELY MARKED
GDA Preliminary Safety Report
UK ABWR
Revision C
[12] NUREG/CR-4772: Accident Sequence Evaluation Program (ASEP) HRA Procedure, February
1987, by Sandia National Laboratory
http://www.osti.gov/scitech/biblio/6370593
[13] The report of accident management review for Shimane NPP Unit3 (in Japanese), April 2010,
by Chugoku Electric Power Co. INC
[14] The report of Probabilistic Safety Assessment for Shimane NPP Unit 3 (in Japanese), April
2010, by Chugoku Electric Power Co. INC
[15] H22-C01 r1: The assessment report of the accident management review report on Shimane NPP
Unit 3 prepared by Chugoku Electric Power Co. INC. (in Japanese), August 2010, by Japan
Nuclear Energy Safety Organization (JNES)
http://www.nsr.go.jp/archive/nisa/shingikai/800/18/001/sankou1-3.pdf
[16] "ABWR Design Control Document." 1997 by GE Nuclear Energy
[17] NUREG-1503: Final Safety Evaluation Report Related to the Certification of the Advanced
Boiling Water Reactor Design, Vol.1, July 1994 by U.S.NRC
http://pbadupws.nrc.gov/docs/ML0806/ML080670592.html
[18] AESJ-SC-P001:2010: A Standard for Procedures of Probabilistic Safety Assessment of Nuclear
Power Plants during shutdown state (Level 1PSA) (in Japanese), November 2011, by Atomic
Energy Society of Japan (AESJ)
[19] GA91-9901-0003-00001: Initial Safety Case report on Spent Fuel Storage Pool, UK ABWR
GDA Step 1b s9b, December 2013, by Hitachi-GE Nuclear Energy, ltd.
[20] AESJ-SC-P009:2008: A Standard for Procedures of Probabilistic Safety Assessment of Nuclear
Power Plants during Power Operation (Level 2PSA), March 2009, by Atomic Energy Society
of Japan (AESJ)
6. Reference
Ver. 0
156
NOT PROTECTIVELY MARKED